US service provider survives the biggest recorded DDoS in history

A new technique that abuses poorly secured servers is fueling record-breaking denial-of-service attacks, along with notes demanding the targets pay hefty ransoms for the debilitating flood of junk traffic to stop.

As Ars reported last week, memcached, a database caching system for speeding up websites and networks, lets DDoS vandals amplify their attacks by an unprecedented factor of 51,000. That means a single home computer with a 100 megabit-per-second upload capacity from its ISP is capable of bombarding a target with a once-unimaginable 5 terabits per second of traffic, at least in theory.

Following the discovery that DDoS vandals in the wild were abusing open memcached servers, researchers last week predicted a new round of record attacks. Two days later, DDoS mitigation service Akamai/Prolexic reported the 1.3Tbps attack against Github, just slightly topping previous records set in 2016.

On Monday, researchers from a separate DDoS mitigation service, Arbor Networks, reported a 1.7Tbps DDoS that also relies on the newly documented memcached amplification method. The attack targeted an unnamed customer of a US-based service provider. Despite being the largest reported DDoS on record, the customer and ISP reportedly didn't buckle.

"It's a testament to the defense capabilities that this service provider had in place to defend against an attack of this nature that no outages were reported because of this," wrote Carlos Morales, who is vice president of global sales engineering and operations at Arbor.

Pay up, or else

Researchers are also reporting that many of the potentially paralyzing attacks are accompanied by a ransom demand, presumably so that the data flood will stop. Cyril Vallicari, an R&D engineer at security firm HTTPCS, said open memcached servers include a cache that accepts input from anyone. Some of the attackers who are abusing the servers to deliver DDoSes are including the words "Pay 50 XMR" along with the address to a wallet. As the screenshot below demonstrates, the message is repeated over and over in the payload delivered to targets in an attempt to exhaust the network bandwidth they have available. At current prices for the digital currency known as Monero, 50 XMR is valued at about $18,415. A spokeswoman for Akamai said the 1.3Tbps attack that targeted Github last week included the same or a similar ransom demand.

While most of the memcached-enabled attacks seen in the wild include responses that are about 10,000 times bigger than their original volume, John Graham-Cumming, the CTO of content delivery network Cloudflare, told Ars he saw one attack with an amplification factor of 51,000. Of course, actual volumes delivered to the target depend on the bandwidth available to the servers being abused, and that may limit DDoS sizes that rely on this technique.

There are several good reasons targets should not pay the ransom. Key among them, so far: all the demands reported use the same wallet address. That would make it hard for the DDoSers to track which targets have paid and which targets have refused. With no easy tracking mechanism, it's unlikely the attackers have an automated way to stop attacks against targets who pay. Aside from that, paying attackers only encourages more illegal behavior in the future. Paying for DDoS mitigation services makes more sense for targets.

Flouting best practices

The new amplification technique is being enabled by the flouting of at least two best practices. The first is network service providers that still permit forged UDP packets to traverse their networks. The second culprit is memcached servers that are exposed to the Internet. The attacks work by sending a query to an open memcached server. The queries are manipulated to make them appear as if they originated with the intended target of the DDoS. Last week, researchers estimated there were about 93,000 memcached servers that improperly accepted input from anyone on the Internet.

If providers everywhere deployed measures that prevented spoofed UDP traffic on their networks and shut down all publicly available memcached servers they hosted, the new amplification technique would no longer be available. The new record-setting DDoS reported Monday demonstrates that a significant number of providers have yet to adopt these commonsense measures.

Post updated to correct bandwidth calculation in the second paragraph.