The attacks generated by the latest amplification attack methodology, eponymously named Memcache (a popular open source distributed memory caching system), have so far generated the largest DDoS attacks to date. Within a one week period, Memcache has created two attacks registering at 1.3 Tbps and 1.7 Tbps, both eclipsing the previous high watermark set by the Mirai Botnet in 2016 that targeted and disrupted the DYN DNS infrastructure. To date, over 17,000 Memcache vulnerable servers have been identified, with each server potentially having an amplification factor of 50,000, and this list is growing. If there is any silver lining to this situation, it is that it is much easier to patch and mitigate these vulnerable Memcache servers than it is for the Mirai Botnet.
When the Mirai Botnet made it’s big splash in 2016, it was estimated that the botnet comprised of a diverse set of IoT platforms (eg. cameras, DVRs, home routers, network attached storage devices, etc.), and was in excess of 180,000 unique source IP’s. Recent estimations now put the vulnerable systems counts to be around 50,000 to 100,000, fluctuating as new IoT products hit the marketplace. This reduction however was not the result of a concerted effort to patch vulnerabilities, but rather the result of the nature of the IoT devices in that they typically:
A) Do not stay infected after a reboot (common occurrence with devices like DVR’s), and can be compromised on a repeated basis by a different botnet at a time
B) Are still functional when infected, thereby escaping notice and detection when compromised
C) Users can’t update the default password themselves on many of these IoT devices, and usually there are no straight forward software patches available from the various vendors
D) New IoT devices continue to be released with vulnerabilities that make them targets for harvesting (eg. Arris modems used by the majority of ISP’s in late 2017 continue to have hardcoded credentials and open SSH)
As a result of these attributes, Mirai and it’s variants (Reaper,Persirai, Hajime, and Brickerbot to name a few) continue to be a threat on the internet landscape and will be for the foreseeable future, albeit on a smaller scale volume wise. This does not mean, however, they cannot be as equally devastating.
Compare this to the Memcache environment. For sysadmins and developers leveraging the memcache system, a quick google search will provide details on upgrading to version 1.5.6 of the Memcached software to avoid being used in an amplification attack; a fairly simple, innocuous upgrade. Furthermore, victims of a Memcache attack can even fight back themselves by sending back a simple command, i.e., "shutdown\r\n", or "flush_all\r\n", in a loop to the attacking Memcached servers in order to prevent amplification. There are already tools being released to help automate this task. As such, the Memcache attack vector should not be an issue for very long, barring lazy sysadmins, which is another discussion altogether….
Jag Bains
CTO, DOSarrest Internet Security
