Read My Lips: Don't Be a Botnet
These days, most organizations are aware that they can be the target of a DDoS attack. They've put in place protections to keep their public-facing websites up in the face of such attacks. But far fewer think about the potential for their servers to be harnessed for use in a botnet, the group of servers used to conduct DDoS attacks. That's because to date, attackers have only been able to use publicly available services, like DNS resolution servers, to launch and amplify DDoS attacks.
This week though, researchers discovered that attackers are abusing a previously obscure method that delivers attacks over 50,000 times their original size, the biggest amplification method ever used. The vector is memcached, a database caching system that speeds up networks and websites. In other words, if you're running memcached, you're now a very likely target to become part of a botnet. Should you become part of said botnet, it's likely that both your servers and your upstream Internet provider will fail. Exciting times, right?
These attacks work because certain UDP based services – memcached in particular – often respond to a small request with a very large response. By using a spoofed source IP address in the UDP request, the attacker can redirect these large responses to their target’s IP address. So what should you do to avoid being assimilated into a Borg-ish botnet? Three things:
- Take inventory of any Internet-facing servers, and ensure that memcached is not inadvertently enabled
- For any internet-facing servers that require memcached, consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets. This will prevent attackers from being able to harness these servers in a DDoS attack, and leverage them to amplify those attacks
- Also look at internal servers that are running memcached – an internal denial-of-service attack could also be launched from some locally-running malware
We'll be continuing to monitor this story as it develops. We expect to see some incredibly large DDoS attacks get executed in the coming days and weeks with this capability. Cloudflare, said the attacks they're seeing come from fewer than 6,000 memcached servers that are reachable on the Internet. But ArsTechnica reported that searches show there are more than 88,000 such servers - a sign that attacks may get much bigger. Organizations should move quickly to address the steps above, to avoid being part of this wave.