How to break the Memcached DDoS reflection attack with a magnification over 50,000 times?

How to break the Memcached DDoS reflection attack with a magnification over 50,000 times?

Welcome everyone to Tencent Cloud + community to get more Tencent's massive technical practice dry goods~

Author: Tencent game cloud

Background: Memcached attack creates DDoS attack traffic record

Recently, incidents of using Memcached servers to implement reflective DDoS attacks are on the rise. The DDoS attack traffic passed T for the first time, triggering a enthusiastic response from the industry. Now Tencent Game Cloud looks back the entire incident as follows:

Looking back on February 27th, Cloudflare and Arbor Networks issued a warning on Tuesday that malicious attackers were abusing the Memcached protocol to launch a distributed denial of service (DDoS) amplification attack, and many servers worldwide (including Arbor Networks) were affected. The following picture shows the detected attack situation of Memcached.

Just one day later, 1.35 Tbps attack traffic appeared, refreshing the historical record of DDoS attacks.

On Wednesday afternoon, US Eastern Time, GitHub revealed that it may have suffered the strongest DDoS attack in history. Experts said that the attacker used a new method of amplifying the attack, Memcached reflection attack, and a larger distributed denial of service (DDoS) may occur in the future. attack. The first peak traffic attack on the GitHub platform reached 1.35 Tbps, followed by another peak of 400 Gbps, which may also become the strongest DDoS attack currently recorded . The previous data was 1.1 Tbps.

According to news from CNCERT on March 3, monitoring found that the Memcached reflection attack peaked at 1.94 Tbps at around 2:30 am on March 1, Beijing time.

Tencent Cloud captures multiple Memcached reflective DDoS attacks

As of March 6, Tencent Cloud has captured many reflection-type DDoS attacks initiated by Memcached. The main targets of attacks include games, portals and other businesses.

Tencent Cloud data monitoring shows that the Memcached reflection attack launched by the black industry against Tencent Cloud's business entered an active period from February 21st, and reached an active peak on March 1st. The number of attacks subsequently decreased significantly, and it reappeared on March 5th. Attack peak. The attack situation is shown in the figure below:

The following picture shows a sample of the Memcached reflection DDoS attack captured by Tencent Cloud:

The number of Memcached reflection sources captured by Tencent Cloud is 22511 **. **The source distribution of Memcached reflection sources is shown in the figure below:

Under the protection of Tencent Cloud's Aegis security system, Tencent Cloud's business will not be affected by Memcached reflection DDoS attacks.

So, what is Memcached reflection attack?

Generally speaking, we will divide DDoS into SYN Flood, ACK Flood, UDP Flood, NTP Flood, SSDP Flood, DNS Flood, HTTP Flood, ICMP Flood, CC and other types of attacks according to the different types of protocols and attack methods targeted. .

The history of DDoS attacks can be traced back to the 1990s, and the reflective DDoS attack is a more ingenious type of DDoS attack. **The attacker does not directly attack the target service IP, but sends a request message to the server that opens some special services by forging the IP of the attacked person. The server will send the reply data several times the request message To that forged IP (that is, the target service IP), so as to achieve the effect of hitting the bull on the mountain and making a big deal of money. The Memcached reflection attack is more popular with attackers because of its magnification of tens of thousands of times.

Memcached reflection attack is to initiate a large number of requests by the attacker to fake the victim's IP to the Memcached service that can be used on the Internet, and Memcached responds to the request. A large number of response messages converge to the forged IP address source, forming a reflection-type distributed denial of service attack.

Why does it cause such a big threat?

According to members of the Tencent Cloud Aegis security team, the DDoS threats we have faced in the past, such as NTP and SSDP reflection attacks, are generally between 30 and 50. The magnification of Memcached is in units of 10,000, and the general magnification is close to 5. 10.thousand times, and the possibility that this multiple will continue to be enlarged cannot be ruled out. Using this feature, an attacker can launch a DDoS attack with huge traffic with very little bandwidth.

Safe construction needs to take precautions

As early as when Memcached reflective DDoS attack methods were used to test the business of Goose Factory, Tencent Cloud had already sensed the risks and deployed them in advance. This round of DDoS attacks initiated by hackers based on Memcached reflection have been successfully defended against them. ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

At the same time, after capturing the Memcached attack, Tencent Cloud promptly assists business customers in self-examination, and provides monitoring and repair suggestions to ensure that users' servers are not used to initiate DDoS attacks.

Security Recommendations for Dealing with Large Traffic DDoS Attacks

DDoS attacks have become more and more intense, constantly refreshing attack traffic records, and facing large traffic attacks exceeding Tbps. The Tencent Cloud Aegis security product team recommends that users do the following responses:

1. Need to strengthen the focus on reflective UDP attacks and improve risk awareness

Reflective UDP attacks account for half of DDoS attacks. According to the 2017 Tencent Cloud Game Industry DDoS Attack Situation Report, reflective UDP attacks accounted for 55% of DDoS attacks in 2017, and this type of attack needs to be focused on.

The Memcached reflection attack appears as a relatively new form of reflection UDP attack, which brings huge security risks. It requires the industry to continue to pay attention to Internet security trends, improve risk awareness, and make strategic responses. Perform necessary drills when there is an outbreak of threats in the industry.

2. To deal with the threat of over-traffic attacks, it is recommended to connect to Tencent Cloud's ultra-large-capacity and high-defense products

Responding to the escalating risk of DDoS attacks. It is recommended to configure Tencent Cloud's ultra-large-capacity high-defense products to hide the source site IP. Use high-defense IP and sufficient bandwidth resources to deal with possible large-flow attacks, and formulate personalized protection strategies based on business characteristics. Only when DDoS attacks can ensure business availability and deal with it calmly. When facing high-level DDoS threats, upgrade the protection configuration in time, and request expert services from DDoS protection vendors when necessary.

Learn about Tencent Cloud's ultra-large-capacity and high-defense products:

3. Industries that are vulnerable to large traffic attacks need to strengthen prevention

Industries such as portals, finance, and games that were vulnerable to black production in previous years need to strengthen prevention, and businesses with weak DDoS protection capabilities such as the government need to be vigilant against large traffic attacks.

Risks have often appeared. Once they are ignited by the black spring breeze, without protection, a prairie fire will ignite.

Reference link:

Related Reading

Introduction to Unity Engine and C# Script

Research on Video Chat Based on Tencent Cloud

IOS WeChat memory monitoring

This article has been authorized by the author to publish it by Tencent Cloud + community, please indicate the source of the article

Original link: