They say you can’t teach an old dog new tricks, but it would seem this saying only rings true when it comes to actual dogs. As a metaphor for any other type of old guard it tends to fall apart. There’s the reason the old guard is the old guard, and it’s because they’re good at what they do.
Take professional DDoS attackers, for example. They were content to wait out the DDoS-for-hire trend, maybe even making some money renting out their own botnets, but as the websites and businesses of the world grew accustomed to the short burst, low volume attacks limping forth from these for-hire services, the old pros saw a window of opportunity flung open and oh, how they’ve capitalized. The old dogs are back, and they’ve got a new trick.
A Tale As Old As The Internet
What is DDoS is a question that has been asked and answered for decades: a DDoS or distributed denial of service attack is one that uses a botnet of malware-infected devices to smash a target server or network with malicious requests or traffic with the end goal of bringing down the website or service, or at least degrading its performance so much it can’t be used.
A trend towards absolutely massive DDoS attacks appeared at the end of 2016 as the Mirai IoT botnet – composed of hundreds of thousands of infected devices – went to work breaking all biggest attack in history records. When word got out that the Mirai records themselves had been smashed at the beginning of 2018, many were quick to assume that the IoT botnets were at it again. However, it was not so. Thanks to the ingenuity of professional attackers, having remote control over hundreds of thousands of devices is no longer necessary to launch an attack of an absolutely staggering size.
As with many types of DDoS attacks, this new variety begins with a tool designed to help the internet run smoothly and efficiently. Memcached servers are cache servers that store tremendous amounts of data from a tremendous number of websites in order to minimize the number of times a website’s external data source, such as a database, needs to be read. Memcached servers are free, open-source, and very popular.
From the perspective of a website or business owner, Memcached servers are excellent tools for improving website performance while minimizing strain on a website’s own servers. From a DDoS attacker’s perspective, Memcached servers are excellent tools for unleashing huge amounts of data.
Not so well-served
Many public-facing Memcached servers use port 11211 by default. This allows attackers to spoof the IP of their intended target and send requests to these servers for statistics, which then returns a message to the target so enormous in size it has the potential to cause a DDoS attack. With multiple spoofed requests, the return only gets larger.
This is what’s called a distributed denial of service amplification vector, which means attackers get a huge or amplified return (the message with Memcached statistics) on their relatively small effort (the request for statistics). As far as new tricks go, Memcached attacks are by far the biggest amplification vector currently available. NTP attacks, which are known for their amplification capabilities, ring up an amplification factor of 557 times the original payload. Memcached attacks? An amplification factor anywhere from 9000 to 51,000. This is what has allowed attackers to unleash a 1.35 Tbps attack on GitHub, and a 1.7 Tbps attack on a target that has gone unnamed.
The previous attack record stood at 1.2 Tbps, courtesy of the Mirai IoT botnet.
Brawn vs. Brawn
A patch has been issued in order to disable the UDP protocol on Memcached servers that allows these attacks to be launched. Firstly, however, as has been evidenced by many vulnerabilities and attacks in the past, there’s a good chance many Memcached servers will go unpatched for years, allowing this amplification vector to hang around. Secondly, professional attackers aren’t going to be stopping with this one new trick, and you can count on the next record-breaking amplification vector to be lurking somewhere just around the corner.
Dealing with attacks of this size requires professional DDoS protection that is cloud-based for infinite scalability. Nothing else has a hope of standing up to amplification vectors anywhere near what Memcached attacks are capable of. If you have a website or business, don’t get caught being the old dog that won’t learn the essential new trick of leading DDoS protection. It will not go well.