The distributed denial of service (DDoS) attack targeting Github last week, which at its peak involved 1.3 terabits per second (Tbps) of traffic, has been attributed to the exploitation of a feature that was never intended to be exposed to the internet
The eight-minute attack last Wednesday was more than twice the next-largest ever recorded DDoS attack. It took advantage of the Memcached feature of Linux in an attack described as “memcached amplification”.
In these attacks, hackers inundate servers with small UDP-based packets. These are designed in a way so that they look like they were created by the target of the attack.
Akamai helped GitHub fend off the attack. The company explained that Memcached techniques “can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.
According to the company’s security alerts team, this record will probably be beaten in the forseeable future. It said: “Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.”
A day before the hack happened, the company noted a rise in the amount of cyber criminals tapping into this DDoS technique.
The firm explained: “On February 27th, Akamai and other companies announced the discovery of a newly observed reflection and amplification vector, memcached.
“This service is meant to cache data and reduce the strain caused by memory-intensive services. Memcached can have both UDP and TCP listeners and requires no authentication.
“Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.”
Submitted by: Arnfried Walbrecht