DDoS strikes again! And this time even worse

-
One more security incident was reported recently. This time the victim was popular code hosting site- GitHub. GitHub was hit down with massive record-breaking DDoS attack which has crossed all the past numbers of attack intensity. The attack was peaked at record 1.35 Tbps-126.9 million packets per second if we believe the numbers. This was 51000 times more than the actual request serving capacity of the site. Woah! The number describes the intensity of the attack.

Usually the botnet- a group of infected system is used to carry out the successful DDoS attacks. There is one leader/attacker which controls all the actions in the network like manipulating the IP address, change the attack payloads and other random customized activities. The notable thing in this recent attack was that there was no use of botnet reported. It was the Memcached servers which were targeted this time to escalate the DDoS attack.

How the attack was performed?

A forged request to the targeted Memcrashed server on port 11211 using a spoofed IP address that matches the victim’s IP.
What is Memcached?
Memcached is a well-known distributed caching system which is open source and easy to deploy. It makes the use of idle RAM in severs to act as a memory cache for the frequently accessed info. It permits the object data to get stored into the memory and it runs over UDP port 11211.

Why it is used?
The motive of designing the memcached application is to achieve the performance efficiency for dynamic web application by limiting the load on the database. This not only helps to improve performance but also give a hand to achieve good scalability for the application. GitHub, Facebook, Youtube, IBM use this for the websites to name a few.

In normal scenario, displaying of information requires below actions:
- Loading the information from the database
- Data filtering (Proper data needs to be displayed in user readable form)
- Showcasing the final data
With using memcached here,

Scenario 1:
- Load the information from the cache
- If info exists, display it

Scenario 2:
- Load the information from the cache
- If info is not available in the cache, same activities are performed just like normal scenario:
-Loading the information from the database
-Data filtering (Proper data needs to be displayed in user readable form)
- STORE THIS INFO IN CACHE (Which will be helpful in the future requests)
- Display final information

According to cloud fare report, “15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we’ve seen a 15-byte request result in a 750kB response (that’s a 51,200x amplification). At peak we’ve seen 260Gbps of inbound UDP memcached traffic. This is massive for a new amplification vector. But the numbers don’t lie. It’s possible because all the reflected packets are very large”

Mitigation:
Limit the rate of traffic or close UDP traffic on Port 11211
This is the easiest way to avoid these kind of massive attacks as the exploit code for Memcached amplification attack have been released online recently.

References:
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Comments

Post a Comment

Popular posts from this blog

Dresscode-Android malware that can infiltrate corporate networks is spreading

-
Image
According to Trendmicro, DressCode-a family of Android malware, has been found circulating in at least 3,000 Trojanized apps. An Android malware is spreading across app stores, including Google Play, and has the capability of stealing sensitive files from corporate networks. DressCode hides itself inside games, user interface themes, and phone optimization boosters. It can also be difficult to detect because the malicious coding only makes up a small portion of the overall app. On Google Play, Trend Micro found more than 400 apps that are part of the DressCode family, it said. That's 10 times more than what security researchers at Check Point observed a month ago. Trend Micro added that one these apps on Google Play had been installed 100,000 to 500,000 times. Once installed, Dress Code's malicious coding will contact its command and control servers and receive orders from its developers. The malware is particularly dangerous because it can infiltrate whatever internet
Read more

Clickjacking leads Android ransomware to gain the administrative rights!

-
Image
What is Ransomware? Ransomware   is one type of malware which prevents or limits users from accessing their system.   File-encrypting ransomware which is also called as Cryptolocker applications that target Android devices are becoming increasingly sophisticated. One new such program is using clickjacking techniques to trick users into granting it administrator rights. What’s this Clickjacking? Clickjacking is a method that involves manipulating the UI in a way that allows attackers to hijack users' clicks and trigger unauthorized actions. It is mostly used in Web-based attacks, where various technologies allow creating invisible buttons and positioning them on top of seemingly harmless page elements. Due to the restrictive application permissions system in Android, ransomware apps targeting the OS have historically been less effective than on Windows. For example, many of the early Android ransomware threats only displayed a persistent window on the screen with an
Read more

Importance of secure SDLC

-
Image
Time does require the change. Isn’t it? We’ll talk about the importance of securely software development life cycle in this story. We all know what exactly SDLC is? SDLC stands for Software Development Life Cycle. The developers builds the applications for certain purpose. The SDLC process has got certain pre-defined phases.  Requirement Gathering: What is the purpose and what’s it going to take for building the application. Plan and Design: Plan the phases of development. Prioritize the modules and finalize the design suitable. Implementation: Start implementing the modules. Coding takes place. Testing: Test the modules which are built Deploy: Deploy the application once the application is tested properly. Maintain: Check whether the application behaves exactly in the same way it was meant to. Eliminate the vulnerabilities identified if any. This is how the traditional SDLC process works. There are certain models to accomplish the pr
Read more