Yusuf On SecuritySecurity news, opinion and advice

Memcached Server used in DDOS. The biggest DDOS So far.

DDOS or Distributed Denial Of Service attack are only getting larger and more devastating. Last week saw what is so far the most powerful DDOS attack when this was aimed at GitHub with record braking of 1.35 terabits per second. A day later it was hit with yet another bigger attack of 1.7 terabits per second. This beats the then eye popping DDOS attack on Dyn back in October 2016 which took Twitter, Spotify, Github, Reddit and AirBnB with it

The attack took advantage of a vulnerability that exist in an utiliy called Memcached. As you can tell
by its name it is a caching system. According to its website, it is “free & open source, high-performance, distributed memory object caching system”. Essentially, it is a very simple distributed cached solution which is meant to be used internally because it has no security mechanism to face the outside world.

“On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack. We understand how much you rely on GitHub and we know the availability of our service is of critical importance to our users. To note, at no point was the confidentiality or integrity of your data at risk.”

GitHub was back on its feet in less than ten minutes which itself is no mean feat given the deluge of data flooding its gates.

According to Cloudflare, Akami, SANS, Arbor Networks have all observed that there are a lot of Memcached exposed instances out there.

There a couple of things you can do if you are under attack. Either block traffic on port 11211 through your gateway or get help from your ISP to block this port for you.

Here is a technical blog by Barry Greene, a principal architect at Akamai. He detailed what business can do to avoid participating this type of distributed attack.

If you are leaving unsecured software facing the Internet, you are contributing to the problem. If you are using a Memcached server, put it inside the firewall. After all, this is what its documentation is
telling you to do.

Join the discussion

Further reading

What will it take?

A great piece on what it will take to improve the safety of the connected world. Read it here.

Extended detection and response (XDR)

Extended detection and response (XDR) captures threat data from previously isolated security tools throughout the organizations tech stack to enable...

Log4j Vulnerabilities

Towards the end of November, a researcher from Alibaba discovered a fault (CVE-2021-44228) in a well known open-source logging library called...