World record DDoS attack hits 1.7 Tbps, thanks to Memcached flaw

A massive reflection/amplification DDoS attack hit an undisclosed US-based company, setting a new record just days after a similar attack took down GitHub.

Predicting 2018's biggest cyber-threats

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A DDoS attack using the Memcached flaw to perform a reflection/amplification attack has reached 1.7 Tbps, a new record for DDoS attack speed.
  • The Memcached flaw has been fixed via a patch released by the Memcached team that disables UDP by default. Users are advised to install the patch and move away from UDP usage.

NETSCOUT'S Arbor security group has confirmed a 1.7 Tbps DDoS attack on an unnamed US company, carried out through the recently-discovered Memcached flaw. Arbor was able to confirm the attack through its ATLAS DDoS monitoring system, making this the largest known DDoS attack recorded by ATLAS to date.

Reports of this attack come less than a week after TechRepublic reported a similar DDoS attack on GitHub, which reached speeds of 1.35 Tbps. Amazingly enough, Arbor reported that the attack victim's service provider was able to prevent any interruptions, despite the massive scale of this latest attack.

Both the attack on GitHub and this second attack used the same reflection/amplification technique, which exploits a vulnerability in the Memcached protocol. Until the flaw in memcached servers can be fixed, Arbor's Carlos Morales said in a blog post, attacks like these are likely to continue.

How Memcached gets abused

Memcached is an open source memory caching system that stores often-accessed data in RAM to speed up access times, but as our sister site ZDNet reported, it wasn't designed for use on internet-connected systems, as access doesn't require authentication.

The open nature of Memcached allows an attacker to plant a massive amount of data on an exposed server, and then use a spoofed 'get' request to direct massive traffic to a victim's IP address. This can overload the victim's network and affect their service.

As Cloudflare explained in a post about the attack, the potential amplification of small amounts of data is huge: 15 bytes of data can generate a 750KB response--an amplification of 51,200x.

The attack relies on spoofing UDP packets to function, which the Memcached team addressed in a recent patch released to address the reflection/amplification attack. The main feature of the patch is turning off UDP by default, which could eliminate the spread of terabyte DDoS attacks that use this vulnerability.

SEE: Incident response policy (Tech Pro Research)

With more than 100,000 vulnerable systems online, eliminating this source of unprecedented DDoS attacks will be difficult. Akamai predicts that the popularity of such attacks will only grow, making those 100,000 systems ripe targets for attackers.

It's recommended that internet-facing Memcached servers be upgraded to the latest version and have UDP disabled. As with other major security flaws, this one has a patch available that the developer says can address the problem. Future victims will likely be those that failed to update their Memcached installs.

Also see

Timur Arbaev