Teaching an old dog some new tricks could be a challenge but it’s possible. However, in the field of cyber-attacks, this isn’t applicable most of the time. Old safeguards tend to become less efficient in time but looking at it from a different perspective, an old guard has become “old” because it’s been doing a good job all these years!
For instance, the likes of DDoS attackers who never settled and waited for the trend which now hires them to perform the job. They even managed to have their own botnets rented for different attacks.
However, as businesses and websites fought back by implementing some ways and means to endure the short bursts done by attackers, what was known to be low volume attacks became ineffective. But now, these old attack professionals are emerging with a new trick and here’s what they’ve capitalized on.
DDoS: A Story That’s Old As the Internet
Many who don’t know much about DDoS would ask what’s it all about. While the Internet is an easy way to find out the answer, we’ll explain it here in brief.
DDoS means “Distributed Denial of Service”, an attack that makes use of a botnet composed of multiple devices that are infected by a malware. This botnet is then used to target a server or an entire network by flooding it with huge amounts of Bandwidth, traffic and malicious server requests in the service or website down. These attacks, on their toned-down effect, can degrade a website’s performance to the point that it becomes unusable.
These attacks were not as massive as what it is now with the new trend which appeared in 2016. Yes! It can now be performed at a massive scale using the Mirai IoT botnet. It is composed of infected devices by the hundred thousand! When it did its job back then, it was able to set the record as the biggest attack in history!
Then just this year, word has spread throughout the tech and security community that the Mirai record was smashed. And of course, many have assumed that it was the work of IoT botnets once again. But it was later found out that it was through the ingenious works of professional attackers who had hundreds of thousands of devices controlled from their locations making such massive attacks possible!
An Existing Tool is Making it Possible
Most DDoS attacks at present make use of an existing tool that has the primary job of helping the Internet run smoothly- the Memcache. Servers that are Memcached work by storing data in large amounts from the websites that run in it. And the number of these websites isn’t small either. It does this in order to bring the number of times a website needs to read from an external database lower. Servers that are Memcached are popularly used and are open-source and most of the time, they are free.
Memcache is a great tool for both businesses and attackers alike. It makes websites run smoothly as it minimizes the need for accessing external servers while to the DDoS attacker’s eyes, Memcache is a great tool for accessing large amounts of data.
Not Served That Well
A Memcache server that’s made accessible to the public are usually using port 11211 in its default configuration. Because of this, attackers can easily target them by way of IP spoofing flooding the server with requests in order to collect usage statistics.
This would then result in a return message directed towards the target. It’s huge in size making it gain momentum and eventually turn into a cause of a DDoS attack. Adding even more spoof requests just makes the return message even larger!
Experts call this DDoS amplification vector. Attackers are getting a large return in the form of messages containing statistics from Memcache with the small effort they exerted in sending the statistics request. Compared to other new tricks, attacks made to Memcache produces the largest vector of amplification.
Attacks like NTP are known for its capability of amplification but on only achieves a factor of 557 times than the payload used. On the other hand, Memcached attacks can give as much as 9,000 up to 51,000 amplification factor. This amplification factor is what enabled attackers to get as much as 1.35 Tbps from GitHub. An unnamed victim also suffered 1.7 Tbps attacks.
The previous record set by the Mirai botnet only achieved the record of 1.2 Tbps, definitely lower than the latest ones.
The Solutions Currently Available
So far, disabling the UDP protocol has been eyed as the solution to prevent attacks and a patch has already been developed and issued as a fix – make sure no other programs need UDP (such as syslog or streaming devices) before you disable it.
However, just like the vulnerabilities that gave way to several attacks that happened in the past, it’s safe to assume that most of these Memcache servers are not going to be patched for many more years allowing the amplification vector to do even more attacks.
Moreover, these attackers are not going to stop with this latest trick. They’ll surely develop a new one that can do even greater damage and it could be lurking in the dark corners of the Internet. It takes professional cloud-based DDoS protection to counter these tremendous attacks. So if you have a business or website, be sure to implement such and avoid getting caught in this new trick by attackers. Remember, prevention is always better than cure!