- May 07, 2018
While it hasn’t received as much conventional press as, say, the Equifax data breach, there was recently a significant event that took place on the Internet. A service called Memcached, which allows chunks of data to be shared between websites, is or was vulnerable to being misused to send large amounts of data to unsuspecting targets. One of these targets was Github, though there were others that have not been named. What made these attacks so significant is their sheer volume. According to Arbor Networks–a company that has made denial of service attack protection their life’s work for more than 20 years–one of their customers received roughly 1.7 terabits per second of attack traffic.
Think about that for a second. Let’s say that you have a fairly conventional 100 megabits per second connection to the Internet at home. It would take you 17,000 seconds to transmit the same amount of data and that’s assuming you had 100 megabits per second outbound at home (you likely don’t) and you were able to saturate the connection. It would take you nearly 5 hours to send that same amount of traffic that it took just a second to push out.
How does this happen? This was an amplification attack, which means the attacker sends a very small amount of data to one place and that place responds with something much, much larger to someone else. Let’s say that Bob wanted to attack Edgar. He sends a box that weighed 1 pound to Alice (using common Internet naming conventions, Alice and Bob regularly do things with each other). However, he tells Alice that the box came from Edgar. As a result, Alice sends a box weighing 15,000 pounds to Edgar. Edgar won’t be able to get that box through his front door. Let’s also say that not only Bob is sending these boxes to Alice to go to Edgar, but Charlie, Fred and Daniel are in on the act too. That’s suddenly several very large boxes
Now back to the recent incident. Some researchers have indicated the amplification rate for the service used isn’t 15,000 as in our example but instead, more like 52,000. What was already a lot of very large, very heavy boxes is suddenly increased by a factor of 3-4x.
The problem here comes, in part, because the developers used the user datagram protocol (UDP). UDP is often used where a lack of overhead is considered a useful feature. Because there is no actual connection between the system sending and the one receiving — the data is just sent, sort of like if you were to start talking into an intercom without having any idea if the person on the other end of the intercom was there — the data can be sent faster, theoretically. When developers use UDP for transmission, they expect that the messages they are sending will never be checked to ensure arrival. They also don’t check to see if the receiving party is at home.
Not checking to see if the receiving party is home allows attackers to use UDP. UDP is an easy protocol to launch spoofing attacks with because there is never any check to see whether the sending address is correct. That allows Bob to send a message to Alice saying he is Edgar. Alice assumes the sending address is correct and so responds to that address. There is no checking by anyone for address validity and veracity.
Any service that listens for messages on the open Internet (meaning there are no or few restrictions on who can send messages in) that doesn’t do some form of validation and verification, is exposing others on the Internet to attack. This is why cybersecurity is everyone’s problem and why cybersecurity awareness is so critical.
The people responsible for these attacks are not the attackers. They are the developers who didn’t consider the potential for misuse and abuse of their service. They are the system administrators who stood up servers running this service without considering the potential for bad people on the Internet who misuse and abuse servers to cause problems for other people and businesses. The servers that were misused and abused were not owned by the attacker. They were owned and maintained by legitimate businesses.
If developers and administrators (not to mention executives who should be expected to sign off on these sorts of decisions), continue to make bad choices because they are not aware of the security implications of their actions, people and businesses will continue to be exposed to these overwhelming amplification attacks. When businesses can’t respond quickly enough to shut down their servers that are being abused and misused, other businesses will continue to have to pay their price for the lack of education, awareness and caring about the welfare of these other people and companies.