After the massive DDoS attack on GitHub last month, researchers have been working hard to identify the vulnerabilities and fixes . Now, three codes have been released by hackers, making the method very public. On one hand, this gives information to the good guys, seeking to prevent attacks. On the other, any black hat can pick up these codes and launch their own attack.
In the recent spate of massive DDoS attacks, users have been largely safe, because the method was not widely promulgated. The largest observed DDoS attack came on Github a couple weeks ago, spiking with traffic levels of 1.7 Tbps. Researchers at Akamai and others have identified the exploits on Memcached servers and are working on creating a fix, but now, three codes have been released to the public, via Twitter, giving anyone with the ability to read code the means of perpetrating an attack.
Three proof of concept codes and 17,000 vulnerable IP addresses have been released. Two of these codes were released on March 5, from Twitter user @37. The first tool is written in C, and uses the list of vulnerable servers to promote the attacks, while the second tool is a python code which uses Shodan to locate vulnerable servers and send them UDP packets. A third code was published by Twitter user @the_ens on March 3.
Memcached servers are vulnerable due to a UDP protocol flaw. This flaw opens up the door for massive UDP packet deliveries. Those deliveries cripple victim sites, and administrators have to pull the site down and close off the attack before they can go back to business as usual. Through the use of Memcache reflection, hackers have been able to create as much as 51x-200x the traffic load of a normal DDoS attack.
In lay terms…
So what exactly is a Memcached server? Memcached servers are web-based memory caches used to increase database responsiveness, meaning that websites who operate on these databases will be faster, smoother experiences. Memcache servers store the most frequently used data, for fast recall, as opposed to having to fully recall data from hard disk. The servers are a combination of open-source code and standard hardware, resulting in huge amounts of quick memory.
Utilizing that huge memory, these new, so-called amplification attacks, forge huge amounts of UDP packets and overload sites with false traffic levels. According to Cloudflare, the most recent attacks were from UDP port 11211, but there are many possible Memcache deployments worldwide.
The key to turning a DDoS attack into a Memcached reflection, or amplification attack, is IP Spoofing. This allows for Memcache responses to be routed to the desired address, like GitHub.com. So, the initial traffic triggers the Memcache response, which, due to the spoof, then sends the response back to GitHub.com, instead of the original sending IP. This creates a feedback loop that grows traffic astronomically. The server is essentially talking to itself, generating its own stream of traffic in addition to the extra traffic coming from the malicious source.
These attacks could very well become a trend. Some estimates figure that there are 88 thousand Memcached servers at risk of being targeted by these techniques throughout the EU and North America.
The plot thickens
In addition to crippling sites, attackers are issuing ransom notes in the Memcached generated traffic. The notes have asked for Monero, with the stipulation that once paid, attackers will end their traffic. Akamai found notes demanding 50 Monero as the cost of ending attacks. That is around $17,000.
For now, researchers are advising that Memcached server users disable the UDP port and beef up their firewalls. Other fixes are being worked on. Akamai also notes that paying ransoms is not a good idea. Likely, attackers would not be able to identify the source of Monero funds, and they likely wouldn’t call the attack off. In the meantime, it might be worth it to understand the full financial risk of being hit by one of these attacks. Check out this free tool for calculating DDoS downtime costs.