After Biggest Ever DDoS Attack Hits GitHub, Attackers Add Monero Ransom Demand

memcachedDistributed-denial-of-service (DDoS) attacks have been ramping up these past few weeks. Reports released at the end of February noted an increasing number of memcached server attacks, which don’t require massive resources and huge botnets like the ones used for the DDoS attacks that made headlines in 2016. Only a few days later, software development platform GitHub was hit with the biggest DDoS attack to date. This site has been targeted before, though nothing compared to the scale of this recent attack. Records show that the attack was a massive 1.35 Tbps, which topped the previous 1.2 Tbps that hit Dyn in 2016.

Current DDoS attackers use a more efficient method

In late 2017, a research team published a comprehensive report on memcached servers, pointing out the possible dangers of this attack vector. These servers are database-caching systems that are mainly used to speed up networks and websites. Some of the servers are exposed on the public internet, though they were never meant to be, and anyone can query them and get a response. The response memcached servers give to a query is much larger than the actual query; they can actually amplify requests by over 50,000 times. Attackers take advantage of this by spoofing the IP address of the intended victim and sending queries to multiple memcached servers. This attack results in a huge amount of malicious traffic directed at the victim’s site, and they often can’t manage the barrage. Amplification attacks are actually not a new phenomenon; cybercriminals have been using this method since 2013.

Unlike most of the DDoS attacks in 2016, this memcached attack method is not resource-heavy. There is no need to maintain a massive botnet. The memcached servers are easily abused and deliver a much harder punch. And reports say that there are about 90,000 such memcached servers that can be used for this kind of attack.

DDoS and ransom demands

Security researchers have noted that more recent memcached DDoS attacks are a little different. Buried in the malicious traffic they send their targets, they hide ransom notes demanding payment in the form of Monero cryptocurrency.

While it is not unusual for DDoS attackers to try and extort money from their victims, this is the first time the demand has been hidden in the payload itself. Usually the demand is in a more obvious place.

Defending against DDoS attacks

To defend against this type of attack and keep your servers safe, here’s what you should do:

  • Verify if your servers need to be externally accessible, you should have as few publicly accessible tools as possible.
  • Ensure you have more than one upstream provider so you can fail over to other links should the primary become flooded.
  • Ensure your network providers have implemented anti-spoofing (such as BCP38 & 84) so that spoofed packets such as those used in DDoS reflection attacks do not make it to your network.
  • Ensure your networks have good traffic monitoring (both in and outbound) using network intrusion tools like Trend Micro™ Deep Discovery Inspector™ and TippingPoint. Trend Micro™ Deep Security™ also provides network security capabilities such as deep packet inspection, intrusion prevention (IPS), and host firewall. We released the following IPS rules for proactive protection from this threat:

    - 1008918-Identified Memcached Amplified Reflected Response 
    - 1008916-Identified Memcached Reflected UDP Traffic 

Given the success of these DDoS attacks, cybercriminals will likely ramp up similar activities. Not only that, they seem to be looking for ways to make this type of attack profitable. Prioritize securing vulnerable memcached servers, and keep an eye out for evolving threats.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cyber Attacks, DDoS