Last week's 1.3 Terabits per second DDoS attack on Github is no longer the biggest on record.
On Monday, a mysterious party launched a 1.7 Tbps DDoS attack, according to the security provider Arbor Networks. The assault was directed at an unnamed "US-based service provider," which survived the sudden flood of internet traffic without disruption, Arbor Networks said.
Who was behind the assault isn't known. But the incident exploited the same attack method that struck Github last week. In both cases, the perpetrators amplified their DDoS attacks with online data storing systems called "memcached servers."
These servers are designed to speed up websites and internet services. However, they can also be used to magnify data packets by up to 51,000 times. When weaponized in a DDoS attack, the overwhelming amount of internet traffic can take down websites.
Making matters worse is that anyone with some technical knowledge can take advantage of these memcached servers. An estimated 100,000 have been found publicly running on the internet.
"These attacks scare internet service providers the most," said Dale Drew, chief security strategist at internet backbone provider CenturyLink. "There are very few DDoS protection providers, cloud providers with the capacity to scrub these kind of attacks."
In some good news, security community has not yet witnessed an explosion of hackers exploiting memcached servers. According to Drew, recent attacks could be the work of only one bad actor. They probably leveraged between 6,000 to 8,000 memcached servers to deliver the 1.3 Tbps attack on Github last week, he said.
"We aren't sure why he doesn't use more," Drew said. "If that's all he can handle, or if he's trying to randomize the servers, and hide his activity. But we're seeing about 6,000 servers used at any given point."
Recommended by Our Editors
CenturyLink is working with the security community to firewall and patch the vulnerable memcached servers. Thus far, they've pulled 30 to 40 percent of all memcached servers off the public internet, leaving about 60,000 online, he said.
ISPs can suppress the attacks by filtering out the hacker's attempts to communicate with the memcached servers over their networks. CenturyLink and others have been starting to do this by blocking the specific commands that can trigger a memcached server to amplify a DDoS attack.
"I'm hoping to get this threat addressed within several days," Drew said. "The bad guy will then have no choice but to go for the next low-hanging fruit."
Last week's attack on Github also included a ransom note inside that demanded the website pay $18,000 in a digital currency called Monero. However, the 1.7 Tbps attack on the US service provider contained no message, according to Arbor Networks.
How a VPN Works
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
