New DDoS campaign serving four times the number of packets as 2018's major GitHub attack

The potency of DDoS attacks lies in the number of packets being sent rather than the relative bandwidth involved in the attack.

NTP amplification attacks are skyrocketing

Malicious actors are refining techniques used in DDoS attacks, setting records in the number of packets sent in an attack, rather than focusing on the relative bandwidth consumed. Network security firm Imperva claimed in a Wednesday blog post that the first attack exceeded 500 million packet per second threshold.

The post calls upon the memcached attack from 2018, in which an unprotected by default UDP interface allowed malicious actors to leverage these unprotected UDP endpoints through IP spoofing--specifying the target address as the origin address--and sent a 15-byte request packet, which is then answered by a memcached server with responses ranging from 134KB to 750KB.

SEE: Severe weather and emergency policy (Tech Pro Research)

The size disparity between the request and response--as much as 51,200 times larger--makes this a magnification attack, allowing higher levels of network disruption with relatively meager resources. A 260 Gbps attack against content delivery network Cloudflare was observed at a maximum of 23 million packets per second. A memcached-powered DDoS attack against GitHub was measured at 1.35 Tbps at its peak, but GitHub's postmortem report of the attack noted that the packet rate was 129.6 million packets per second. Records were broken again with a 1.7 Tbps attack against a service provider shortly after the GitHub attack.

This attack is relatively easy to mitigate, as the nature of the vulnerability limited how this could be exploited, said the post. All traffic from memcached-powered DDoS attacks occur on UDP port 11211, making it a very predictable attack to filter out.

Conversely, high-packet attacks put more stress on mitigation systems, as these systems inspect the headers of each packet, but rarely ever the full payload, according to the post. Likewise, mitigation systems rely on a variety of detection techniques, which "requires far more compute processing power than what traditional network appliances require to route or switch a packet," the post added.

The attack observed by Imperva was a combination of a syn flood and large syn flood, which the post claimed was "highly randomized and probably spoofed," placing more load on mitigation hardware, and defining the attack as less straightforward from a mitigation standpoint than the high-bandwidth, low-randomness memcached-powered DDoS attacks from 2018.

The big takeaways for tech leaders:

  • The 2018 memcached-powered attacks used magnified packets up to 51,200 times larger than the request packet, creating record-setting DDoS attacks in terms of bandwidth.
  • New, lower-bandwidth attacks are setting records in terms of packets, with a 500 million packet per second attack measured at roughly 4x the strength of 2018's record-setting GitHub DDoS attack. --Imperva, 2019

Also see

Getty Images/iStockphoto