Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Networking The Internet

Massive DDOS Attacks Are Now Targeting Google, Amazon, and the NRA (pcmag.com) 121

PC Magazine reports: A new way to amplify DDoS attacks has been spotted harassing Google, Amazon, Pornhub and even the National Rifle Association's main website after striking Github last week. The attacks, which exploit vulnerable "memcached servers," have been trying to hose down scores of new targets with a flood of internet traffic, according to Chinese security firm Qihoo 360... Github was the first high-profile victim and suffered a 1.35 Tbps assault -- or what was then the biggest DDoS attack on record. But days later, an unnamed U.S. service provider fended off a separate assault, which measured at 1.7 Tbps. Unfortunately, the amplified DDoS attacks haven't stopped. They've gone on to strike over 7,000 unique IP addresses in the last seven days, Qihoo 360 said in a blog post... Gaming sites including Rockstargames.com, Minecraft.net, and Playstation.net have been among those hit...

The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Radware security researcher Daniel Smith said. That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.

Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating: "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."
This discussion has been archived. No new comments can be posted.

Massive DDOS Attacks Are Now Targeting Google, Amazon, and the NRA

Comments Filter:
  • Or just malware being served as ads?

    I'm thinking google, amazon and pornhub have measures in place to prevent massive DDOSattacks.

    The NRA? probably not.

  • by Anonymous Coward

    There are enough moron administrators on the planet to make memcached ddos possible.
    Jesus wept.

    • by MrL0G1C ( 867445 )

      If admin's are too lazy to configure their servers correctly after it's been all over the news for weeks that their servers are being used to DDOS other servers then they really deserve to have those servers kicked off of the internet. 1 white hat hacker could stop all of them within an hour in this particular instance because they can all be stopped from ddos'ing with the 'flush command'.

  • by Patent Lover ( 779809 ) on Saturday March 10, 2018 @01:50PM (#56239763)

    The three pillars of society.

  • by Toad-san ( 64810 ) on Saturday March 10, 2018 @01:51PM (#56239767)

    You then deserve what you get.

    "Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating:
    "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization.""

    Unethical my ass. Turn those suckers off.

    • We can consider it simply self defense.

      If a quarry nearby is storing large amount of dynamite without proper security, would we be worrying about the "possible impact on the legitimate activities of the quarry" or "punishing the quarry for the actions of the miscreants and the thieves"?

      Your server is being used by vandals. Sucks to be you. Say bye to you buffers, we are flushing them all.

      Go a step further. All public, open , unpatched servers should be given "flush all" command every six hour.

    • by jrumney ( 197329 )
      We need to codify a right to self-defence in the laws that cover this. The kill switch as a standalone concept might be unethical and likely illegal, but when used in self defence from an attack of this magnitude it is entirely justified.
  • by Aethedor ( 973725 ) on Saturday March 10, 2018 @01:55PM (#56239785)
    We need more software that are secure by design. There is no reason to have a tool like memcached available for the entire internet. The memcached developers should have made it listen to localhost only by default. The setting to make it listen to other interfaces should be well explained in the manual, with all the risks and are-you-sure-you-want-this warnings.
  • unsecured Memcached servers could store data - par2'd data chunks, for example, similar to a newsgroup - along with indices / torrent tracker data / etc. And since they will store keys from spoofed UDP packets, there is no good way to figure out who put the data there.

    Just saying. Better than ddoses :(
  • by SuperKendall ( 25149 ) on Saturday March 10, 2018 @02:24PM (#56239905)

    That's great they managed to patch 60k out of 100k vulnerable systems...

    But as the rest of the systems continue to degrade the internet - at some point don't you have to say, for the public good these servers have to be shut down externally?

    It's fine and dandy to say it's not justified to disable someone else's system that is unknowingly taking part in an attack. But that ignores that all companies and people that put systems on the internet have a responsibility to monitor and keep them up to date, and if they abuse that responsibility they lose the right to complain about external kill switches being activated.

    It seems like after some time if you cannot get people to be responsible, you do what you have to and maybe next time they will be more proactive about fixes.

  • I haven’t seen it described but I assume the kill switch would be to point the servers at themselves or other open servers?

    • Re:Kill switch (Score:5, Informative)

      by Zocalo ( 252965 ) on Saturday March 10, 2018 @03:48PM (#56240143) Homepage
      It's not really a kill-switch in the sense of turning the service off, so much as a temporary reset button. What it does is to send a command to memcached to drop the contents of its cache, at which point the spoofed packets of the DDoS will not actually stop outright but be considerably be reduced in size and thus reduce the effective amplification factor of the attack. Unfortunately, the server would then immediately start to repopulate its cache and the amplification factor would gradually recover back to its former levels, something that could happen quite quickly for some cached databases if the underlying query rate is high enough. To effectively shutdown a server, you'd need to keep sending the flush command at regular intervals - in effect launching a DoS at the server to prevent it launching a DoS at another server, so sinking to the same level as those trying to launch the DDoS.
      • Great explanation, thank you!

      • by jabuzz ( 182671 )

        Well to be fair if you have an memcached server that is in need of patching and you are getting your cache flushed on a regular basis as a result of your server participating in a DDOS then frankly fix your server and STFU in the meantime.

      • Re:Kill switch (Score:5, Informative)

        by sl149q ( 1537343 ) on Saturday March 10, 2018 @04:51PM (#56240279)

        Memcached implements a key-value store. The DDOS first put a large value with a known key into the server to be exploited, then sends spoofed UDP packets to it requesting the key.

        Once you clear the cache, the server cannot be exploited again until a new key-value is stored. The exploit cannot use other data that might be on the server because it does not know what the keys are.

        A possibly safer kill-switch would simply upload a new small value for the key to any server sending you data. It will continue to send you that value instead of the much larger one loaded for the exploit. A very small (under 50 bytes?) UDP packet is better than the very large amount of data currently being sent (I think 700kbytes?) Reduces the amplification factor to close to zero.

      • Why not use the same technique to make these servers attack each other?

        That would get the attention of the admins responsible for configuring and firewalling these servers.
        (Same for spoofed origin BGP and other amplification attacks too)

        I wonder if admins get paid to leave these servers misconfigured / accessible for these attacks. Plausible deniability and all that. Maybe you could slow certain fiber links enough to profit when doing High Frequency Trading on the worldwide stock exchanges? That would be wo

  • What? They're harassing PornHub?
    Why won't someone think of the ... uh... nevermind...

Don't panic.

Working...