Warning on large-scale DDoS (Distributed Denial of Service) attacks that surpass 1Tbps has been placed globally. Many South Korean businesses are currently defenseless against such attacks. Cyber criminals are requesting ransoms by threatening businesses services with large-scale DDoS attacks.
‘GitHub’, which is a platform for developers, was recently attacked with DDoS attack that reached 1.36Tbps. An American company was also hit recently with 1.7Tbps DDoS attack, which is stronger than ‘Mirai Botnet’ DDoS that paralyzed internet in North America in 2016. Cyber criminal threatened GitHub with DDoS attack and requested 50 Moneros ($15,000).
South Korea is also not safe from large-scale DDoS attacks. Hackers use new DDoS reflection method that utilizes weak spots of memchached servers. This method is also called memchached DRDoS (Distributed Reflection DoS). Previous DDoS attacks made zombie PCs and focus traffic on a target all at once. However, memchached DRDoS amplifies normal responses and paralyzes services. It is very difficult to trace and response to such attack.
Memchached DRDoS is UDP (User Data Protocol) reflection attack that occurs within memchached server, which is a popular open source software that is used for distributed memory caching system. Memchached server is not connected to internet as it does not have confirmation process. However, it has been abused by DDoS as number of memchached servers that are connected to internet has been rising. Requests of few bytes that are sent to memchached servers induce large-scale responses that are 10,000 times bigger than these requests from target IPs cause powerful DDoS attacks.
When GitHub was attacked, someone made lists of weak memchached servers and tools that were used on this attack public on internet. It is in no time when other hackers use such information to threaten other huge sites.
According to Akamai, there are more than 90,000 systems that are exposed to DRDoS attacks. Hacker News reported that two tools that were used for memchached DRDoS attacks were made public on internet. First tool was made through C Language and it includes 17,000 weak memchached servers that are exposed on internet. Second tool is developed through Python and it downloads a list of weak servers by using API of a search engine called Shodan.
To counter memchached DRDoS attacks, one needs to disconnect memchached servers from internet and deactivate UDP support and upgrade to recent server (1.5.6). Corero Network Security found DRDoS ‘kill-switch’ that utilizes memchached servers. DRDoS attacks can be prevented by repeatedly sending commands such as such as shutdownrn or flush_allrn to memchached servers that are being attacked.
“Number of memchached DRDoS attacks has been rising.” said Director In Seung-jin of Akamai Korea. “It is urgent to prepare solutions as it is difficult to trace corresponding hackers and damage is huge.”
Staff Reporter Kim, Insoon | insoon@etnews.com