A US service provider has suffered the world’s biggest Distributed Denial of Service (DDoS) attack, just a few days after a previous record was broken.
The unnamed firm suffered a whopping 1.7Tbps blitz, using the same techniques of memcached services and reflection amplification as a 1.3Tbps attack on Github reported last week.
Arbor Networks claimed the new assault was twice as big as anything it had seen before, although it had the capabilities in place to mitigate the threat with no apparent impact on service quality.
There’s no word yet on whether the two threats were linked, but it certainly points to an uptick in DDoS attacks abusing memcached servers.
Arbor warned last week that because the servers typically have high bandwidth access links and reside on internet datacenter (IDC) networks with high-speed transit uplinks, they represent a critical DDoS threat.
“Memcached is an in-memory database caching system which is typically deployed in IDC, ‘cloud’, and Infrastructure-as-a-Service (IaaS) networks to improve the performance of database-driven web sites and other internet-facing services,” the firm explained.
“Due to its nature as a form of organic caching middleware and its lack of access controls (unless specifically compiled with a rarely-used TLS authentication option), memcached should not be exposed to the public internet. Unfortunately, there are many memcached deployments worldwide which have been deployed using the default insecure configuration, and without benefit of situationally-appropriate network access policies implemented as transit ACLs (tACLs) to shield memcached servers from abuse by attackers.”
The firm claimed that while memcached DDoS attacks were once the preserve of skilled attackers, it’s likely that these capabilities have been weaponized as a service for a wider pool of cyber-criminals — leading to the uptick in attacks.
“Due to the nature of both the memcached service/protocol implementation as well as the prevalence and high bandwidth typically available to memcached reflectors/amplifiers, it is critical that network operators take proactive measures to ensure they are prepared to detect, classify, traceback, and mitigate these attacks, as well as ensure that any memcached installations on their networks and/or networks of their end-customers cannot be exploited as reflectors/amplifiers,” it added.