At 17:28 GMT, February 28th, Akamai experienced a 1.3 Tbps DDoS attack against one of our customers, a software development company, driven by memcached reflection. This attack was the largest attack seen to date by Akamai, more than twice the size of the September, 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed. Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.
On February 27th, Akamai and other companies announced the discovery of a newly observed reflection and amplification vector, memcached. This service is meant to cache data and reduce the strain caused by memory intensive services. Memcached can have both UDP and TCP listeners and requires no authentication. Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 500,000, meaning a 203 byte request results in a 100 megabyte response.
Akamai’s Prolexic platform was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by memcached.
Many other organizations have experienced similar reflection attacks since Monday, and we predict many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure.
Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly. Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly. The good news is that providers can rate limit traffic from source port 11211 and prevent traffic from entering and exiting their networks, but this will take time.
Akamai is working with our industry partners and peers to help organizations use Best Common Practices (BCPs) and practical memcached remediation to reduce the risk to the Internet.
This is a Security Bloggers Network syndicated blog post authored by Akamai SIRT Alerts. Read the original post at: The Akamai Blog