A 1.3 Tbps DDoS attack – essentially a massive torrent of data aimed at a single target – nearly took down network provider Akamai on March 1. While the attack itself is notable more interesting is what was hidden inside the attack itself.
The attack used a memcached exploit which is a legitimate service on many servers. The service is set to accept data, using the User Datagram Protocol, without authentication from various sources and if you are able to spoof those sources you can easily overwhelm a target. In fact, writes Brian Krebs, “most popular DDoS tactics that abuse UDP connections can amplify the attack traffic 10 or 20 times — allowing, for example a 1 mb file request to generate a response that includes between 10mb and 20mb of traffic.”
“This attack was the largest attack seen to date by Akamai, more than twice the size of the September, 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed,” wrote Akamai. “Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.”
Within the attack, however, security researchers found a 1MB file that contained a ransom request and a Monero cryptocurrency address. In other words, built into the attack payload was an extortion request.
In short, not only did the attackers slam servers with massive amounts of data, their targets were asked – millions if not billions of times – to pay extortion fees to stop the attack.
It’s a clever and new tactic in which the message becomes the ammunition for the attack. You can see the files that memcached receives from the spoofed servers in the video below created by security researchers at Cybereason. Major backbone admins are working on a fix for this pernicious problem.