It is less than 2 weeks since the “Memcached” reflection/amplification vulnerability became widely known and DDoS attackers began exploiting unprotected Memcached servers to launch massive denial-of-service attacks against target organizations.
The record for the largest DDoS attack ever reported has been broken twice in the last week. The bar was raised from ~800Gbps (DYN in October 2016) to 1.34Tbps (GitHub) and upwards to 1.7Tbps (undisclosed US Service Provider). These attacks have understandably been the focus of mainstream news headlines. At Corero, we’ve also seen a surge in in these larger DDoS attacks; all of them have been amplified by the Memcached vector.
Last week, our Corero SecureWatch® Team released a Threat Advisory after seeing a steady ramp in reflective Memcached attacks (Reflective UDP on port 11211). This exploit uses a reflective method in which the attacker makes a spoofed request (where the source IP address is that of the intended victim) to a Memcached server, which then replies to the victim with a large response. Amplification factors of 50,000 times are believed to be possible using this exploit.
Corero’s advisory coincided with delivering “zero day” protection to SmartWall® customers which detects and mitigates these attacks in less than 2 seconds. In contrast, the GitHub attack reportedly took around 10 minutes to mitigate. Undoubtedly, this meant that GitHub’s service was disrupted risking reputational damage.