Last week’s 1.3 Terabits per second DDoS attack on Github is no longer the biggest on record.
On Monday, a mysterious party launched a 1.7 Tbps DDoS attack, according to the security provider Arbor Networks. The assault was directed at an unnamed “US-based service provider,” which survived the sudden flood of internet traffic without disruption, Arbor Networks said.
Who was behind the assault isn’t known. But the incident exploited the same attack method that struck Github last week. In both cases, the perpetrators amplified their DDoS attacks with online data storing systems called “memcache servers.”
These servers are designed to speed up websites and internet services. However, they can also be used to magnify data packets by up to 51,000 times. When weaponized in a DDoS attack, the overwhelming amount of internet traffic can take down websites.
Making matters worse is that anyone with some technical knowledge can take advantage of these memcache servers. An estimated 100,000 have been found publicly running on the internet.
“These attacks scare internet service providers the most,” said Dale Drew, chief security strategist at internet backbone provider CenturyLink. “There are very few DDoS protection providers, cloud providers with the capacity to scrub these kind of attacks.”
In some good news, security community has not yet witnessed an explosion of hackers exploiting memcache servers. According to Drew, recent attacks could be the work of only one bad actor. They probably leveraged between 6,000 to 8,000 memcache servers to deliver the 1.3 Tbps attack on Github last week, he said.
“We aren’t sure why he doesn’t use more,” Drew said. “If that’s all he can handle, or if he’s trying to randomize the servers, and hide his activity. But we’re seeing about 6,000 servers used at any given point.”
CenturyLink is working with the security community to firewall and patch the vulnerable memcache servers. Thus far, they’ve pulled 30 to 40 percent of all memcache servers off the public internet, leaving about 60,000 online, he said.
ISPs can suppress the attacks by filtering out the hacker’s attempts to communicate with the memcache servers over their networks. CenturyLink and others have been starting to do this by blocking the specific commands that can trigger a memcache server to amplify a DDoS attack.
“I’m hoping to get this threat addressed within several days,” Drew said. “The bad guy will then have no choice but to go for the next low-hanging fruit.”
Last week’s attack on Github also included a ransom note inside that demanded the website pay $18,000 in a digital currency called Monero. However, the 1.7 Tbps attack on the US service provider contained no message, according to Arbor Networks.