Researchers identify extortion as motive behind memcached DDoS attacks

News by Bradley Barth

The adversaries who have been abusing exposed memcached servers to launch amplified distributed denial of service attacks have been including a ransom note amidst their flood of malicious packets, according to researchers.

The adversaries who have been abusing exposed memcached servers to launch amplified distributed denial of service attacks have been including a ransom note amidst their flood of malicious packets, according to researchers from Cybereason who now suspect the actors' true motivation is extortion.

According to a 2 March company blog post, the ransom note demands a payment of 50 Monero coins (XMR). The note, written in a line of Python code and repeated many times, is one gigabyte in size, suggesting that the attackers "wanted to get their message across," Cybereason reported. As of roughly noon ET on 5 March, 50 Monero was worth approximately US$ 18,500 (£13,302).

Since late February, several research groups have been warning of a notable uptick in memcached-based DDoS attacks, which can amplify malicious traffic by a factor of tens of thousands. The most notable attack so far took place last Wednesday, 28 February, against GitHub, which largely withstood the record 1.35 Tbps barrage, but experienced service disruptions for about nine minutes. Cybereason said it is unknown if GitHub or any organisations have paid the ransom.

"...Using a short attack to quickly knock companies offline can greatly benefit attackers," the Cybereason post continued. "If sites can be taken down in such a brief amount of time, companies could be more inclined to pay the ransom (assuming it remains reasonable) instead of dealing with the more substantial fallout from a longer amplification DDoS attack."

Akamai Technologies, GitHub's content delivery network, mitigated the attack by filtering all traffic sourced from UDP port 11211, which is the default port that memcached servers use to communicate. A 1 March blog post from Imperva reported that there there are over 93,000 misconfigured memcached servers worldwide, listening on port 11211. Security experts are now reportedly recommending that server operators, ISPs and web hosting providers block or filter this port.

In its own 1 March post, Akamai warned that since Monday, 27 February "many other organisations have experienced similar reflection attacks, and we predict many more, potentially larger attacks in the near future," adding that its researchers have observed a "marked increase in scanning for open memcached servers." 

As of approximately 12:30 pm ET (05:30 pm) on 3 March, US-based targets have been victimised by memcached server DDoS attacks 2,661 times, according to DDoS monitoring site DDoS Mon. China has seen the next highest number of attacks -- 1,000.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews