Thursday, 20 September, 2018

Terabit DDoS attack era has arrived

How amplification attacks work How amplification attacks work
Sherri Watson | 07 March, 2018, 19:53

Last week Arbor, Cloudflare and Akamai reported an uptick in amplification attacks that abuse memcached servers to ramp up by traffic by a factor of 50,000. In both cases, the perpetrators amplified their DDoS attacks with online data storing systems called "memcache servers".

NETSCOUT'S Arbor security group has confirmed a 1.7 Tbps DDoS attack on an unnamed U.S. company, carried out through the recently-discovered Memcached flaw.

Security researchers noticed a new twist in a recent spate of distributed denial-of-service attacks-when servers are overwhelmed to knock a site or service offline.

Just a week after GitHub was temporarily knocked down by the then world's largest recorded DDoS attack, an unnamed United States internet service provider has been hit with an even a bigger attack - using the same technique that exploited memcached servers.

Vice president of global sales engineering and operations at Arbor, Carlos Morales, is quoted as saying, "It's a testament to the defense capabilities that this service provider had in place to defend against an attack of this nature that no outages were reported because of this".

In 2016, he pointed out, the presence of more than 28 million open DNS resolvers meant that they were there for use in reflection/amplification techniques.

Arbor's data from the past decade seems to show (in the image above) that the bandwidth of DDoS attacks has been growing exponentially, from around 24 Gb/s in 2007 to 1.7 Tb/s in early 2018. When weaponized in a DDoS attack, the overwhelming amount of internet traffic can take down websites.

In 2013-14, he said, malware that weaponised the network time protocol had made an appearance and replaced DNS as the most prominent reflection/amplification vector.

With more than 100,000 vulnerable systems online, eliminating this source of unprecedented DDoS attacks will be hard.

Akamai similarly said this type of attack was likely to become more popular given its "ability to create such massive attacks".

The 1.35 terabit-per-second DDoS attack hit GitHub all at once, and it used an increasingly popular DDoS method, no botnet required.

"This size of attack certainly causes collateral damage throughout the internet and in particular on networks closer to the victim network", Morales said. DDoS is here to stay, and there will always be new exploits on new services that will continue to set new records.

Arbor warned last week that because the servers typically have high bandwidth access links and reside on internet datacenter (IDC) networks with high-speed transit uplinks, they represent a critical DDoS threat.