Slashdot Mirror
Massive DDOS Attacks Are Now Targeting Google, Amazon, and the NRA (pcmag.com)
PC Magazine reports:
A new way to amplify DDoS attacks has been spotted harassing Google, Amazon, Pornhub and even the National Rifle Association's main website after striking Github last week. The attacks, which exploit vulnerable "memcached servers," have been trying to hose down scores of new targets with a flood of internet traffic, according to Chinese security firm Qihoo 360... Github was the first high-profile victim and suffered a 1.35 Tbps assault -- or what was then the biggest DDoS attack on record. But days later, an unnamed U.S. service provider fended off a separate assault, which measured at 1.7 Tbps. Unfortunately, the amplified DDoS attacks haven't stopped. They've gone on to strike over 7,000 unique IP addresses in the last seven days, Qihoo 360 said in a blog post... Gaming sites including Rockstargames.com, Minecraft.net, and Playstation.net have been among those hit...
The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Radware security researcher Daniel Smith said. That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.
Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating: "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."
The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Radware security researcher Daniel Smith said. That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.
Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating: "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."
The three pillars of society.
We need more software that are secure by design. There is no reason to have a tool like memcached available for the entire internet. The memcached developers should have made it listen to localhost only by default. The setting to make it listen to other interfaces should be well explained in the manual, with all the risks and are-you-sure-you-want-this warnings.
It doesn't have to be like this. All we need to do is make sure we keep talking.
Why would anyone target The NRA? Seems really suspicious.
It stokes up conflict among the pro-Second Amendment camps and ant-Second Amendment camps internally in the USA, and generally weakens democracy there. The right will blame it on the left, and they will all get into a massive huff over it.
International shits & giggles.
Why would anyone target Amazon, Google or Pornhub . . . ?
Why not, if someone else is footing the bill to disrupt the Internet.
Now who could that someone be . . . ?
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Why would anyone target The NRA? Seems really suspicious.
Maybe because they oppose net neutrality?
https://www.reuters.com/articl...
"She's furniture with a pulse"
It's not really a kill-switch in the sense of turning the service off, so much as a temporary reset button. What it does is to send a command to memcached to drop the contents of its cache, at which point the spoofed packets of the DDoS will not actually stop outright but be considerably be reduced in size and thus reduce the effective amplification factor of the attack. Unfortunately, the server would then immediately start to repopulate its cache and the amplification factor would gradually recover back to its former levels, something that could happen quite quickly for some cached databases if the underlying query rate is high enough. To effectively shutdown a server, you'd need to keep sending the flush command at regular intervals - in effect launching a DoS at the server to prevent it launching a DoS at another server, so sinking to the same level as those trying to launch the DDoS.
UNIX? They're not even circumcised! Savages!
Memcached implements a key-value store. The DDOS first put a large value with a known key into the server to be exploited, then sends spoofed UDP packets to it requesting the key.
Once you clear the cache, the server cannot be exploited again until a new key-value is stored. The exploit cannot use other data that might be on the server because it does not know what the keys are.
A possibly safer kill-switch would simply upload a new small value for the key to any server sending you data. It will continue to send you that value instead of the much larger one loaded for the exploit. A very small (under 50 bytes?) UDP packet is better than the very large amount of data currently being sent (I think 700kbytes?) Reduces the amplification factor to close to zero.