Memcached DDoS: The new kid on the block

By Robin Schmitt, General Manager, APAC at Neustar

In the past month alone, the cyber security industry bore witness to a relatively new face of distributed denial of service (DDoS) amplification attacks in the form of Memcached DDoS that reached a peak of 1.35 Tbps – the largest attack ever mustered.

Recalibrating our tracks to 2017, brands continued to demonstrate the ongoing susceptibility to DDoS and other cyber breaches. The reverberations from these attacks were felt across all corners of businesses –  we saw stock prices fall and consumers lose confidence in brands as a result.

Instead of profiting on infamy, hackers are devising more ways to benefit while flying under the radar so attacks can go on longer, provide access to more data or affect specific targets in very granular ways.

A game of risk: attacks more determined with newer threat vectors

These attacks are dangerous because they can escalate quickly to leverage more than 100,000 servers to cause thousands of factors in amplified traffic with no warning. Unlike the formal botnet attacks used in large DDoS infiltrations, Memcached DDoS outages do not require a malware-driven botnet.

Perpetrators simply spoof the IP addresses of their targets and send several data packets to multiple Memcached servers that live on networks with high speed transit uplinks. The Memcached systems then return 50 times the data of the requests back to the victim – creating a perfect storm for high bandwidth DDoS amplification attacks.

While the average size of infiltrations has remained steady for three years straight at around 5Gbps, the volume of attacks, especially repeated ones against the same targets has increased. The Memcached DDoS attack uses exposed database caching servers to create massive amounts of traffic to target Layer 3 infrastructure elements. With simple spoofing and no authentication needed, attackers can generate traffic responses 10,000 to 51,000 greater than the size of the request.

The vigilant defender: detection and response

Attackers have since learned how to tease defenses, probe network vulnerabilities, and execute more lethal strikes. The difficulty in being able to effectively and efficiently detect and respond to DDoS attacks has no doubt frustrated those who work to protect revenue flows, critical infrastructure, and brand reputations. Today, the vigilant defender knows that when DDoS attacks are detected, there is a 50/50 chance that it is a race against crime.

A study by Neustar found that while nearly all organisations have one or more defence layers in place, despite the heightened awareness, identification and reaction is taking more time and damages incurred are taking a higher toll. 90% of all respondents reported plans to invest more in defence solutions than the year before. Findings point towards how there is concern in the market that the solutions organisations are using may not be enough, and that currently the attackers truly have the upper hand.

No game delay allowed

Future-proofing mitigation networks to stop attacks before they reach their target destination will save brands billions each year from the impact of DDoS offensives. So this begs the question – how can organisations make smarter security decisions that meet the future requirements of an increasingly diverse threat landscape?

Whilst there is no sure-fire, cookie-cutter approach, it is certain that organisations need to start building up their muscle power against perpetrators. Fortunately, new approaches to security that combine the best of on-premise hardware and cloud-based solutions are changing how this game is played.

A hybrid model will ensure sound protection against smaller, yet more advanced, application level attacks, as well as providing the ability to mitigate large volumetric attacks. By understanding the threat, quantifying the risk to the organisation and implementing a right-sized mitigation solution, organisations can effectively mitigate the risk of Memcached DDoS offensives – ensuring the scorecard stands at Organisations: 1, Attackers: 0.

[1] 

Tags DDoS attacks

Show Comments