Memcache UDP Reflection Amplification Attack II: The Targets, the Sources and Breakdowns

In less then ten days, Memcache DDoS attack has come out of nowhere and really captured lots of attentions within the security community. When we look at the news, we see all sort of reports but hardly can get a good idea what the real situation is, for example the most important question, how many victims are out there? And how big the attack army is?

Our team has been running the free ddosmon platform for quite some time and with all the massive amount of network data we have good visibility into the ddos world, so, in this blog, we will provide our insights.

The General Trend

In our previous blog we mentioned that there had been hardly any Memcache DDoS attacks in the last 9 months since our 360 0kee team publicly disclosed this vulnerability. However, since 2018-02-24, the frequency of attacks has increased dramatically. As shown in the following two figures:

We can roughly divide this period of time into the following stages.

  • Prior to 2018-02-24, the daily average was less than 50 attacks.
  • The first stage: 02-24 ~ 02-28, an average of 372 attacks per day
  • Stage 2: 03-01 ~ 03-05, average daily 1938 attacks
  • 03-08, 721 attacks already took place today, with 12 more hours to go

The above figure is the number of daily active reflectors. That is, these memcache servers actually participated in real attacks. After the rapid growth on Feb 24, 2018,, the number of daily active reflectors has been stable.

We also took a real test on the 15k active reflectors on Mar 07. Roughly 15% of them respond to the "stats" command we request and thus indeed have the ability to engage in actual attacks.

In this case, the ratio at 15% looks a bit low. Maybe more tests needed to understand the situation.

Github attacks

In the past ten days, quite a few popular websites became victims of this DDoS attack. For example, in github around Feb 28 17:20 UTC suffered a DDoS attack, the peak flow rate reached 1.35Tbps, according to akamai and github.

Correspondingly, our DDoSmon platform observed two attacks against github, . The former is the one publicly documented.

  • Victim IP: 192.30.252.113
  • Occurred at: 2018-03-01 14:26:22 GMT +8 and 2018-03-02 01:13:44 GMT +8 respectively
  • Source Port: UDP 11211 source port
  • Attack Type: tagged as "udp@attack@amp_flood_target-MEMCACHE"

All these technical features are consistent with github's public documents.

Next, let’s take a look at the most recent 7 days of data on DDoSMon for some detailed breakdown.

The Targets

In just 7 days, our DDoSmon platform logged:

  • 10k attack events
  • 7131 unique victim IP addresses

In order to make the result more readable, we use our PDNS system to map the victim IPs back to their dns names. Within them, 981 (13%) have recently (within a week) resolvable domain names, and 15k (22%) have historically had domain names.

For all the targets above which have dns names, we checked Alexa top 1m domain list and our Float top 1m to generat two lists.(Float is our internal domain popular ranking system with a focus visits mainly in China.)

Here is a snip for alexa(please bear in mind that we use the most recent PDNS to map the IPs, also we only keep the SLD, not the whole FQDN, so attack against a.com is mostly like attack against subdomains such as zyx.a.com, not necessary a.com itself.

target_ip    rank    belongs to sld  
59.37.97.93    9   qq.com  
182.254.79.46    9   qq.com  
36.110.213.82    21  360.cn  
216.18.168.16    32  pornhub.com  
192.30.255.113    74  github.com  
192.30.253.125    74  github.com  
192.30.253.113    74  github.com  
192.30.253.112    74  github.com  
151.101.128.84    80  pinterest.com  
104.155.208.139    112 googleusercontent.com  

Snip for float

target_ip    rank    fqdn  
115.239.211.112    12  www.a.shifen.com  
182.254.79.46    21  mp.weixin.qq.com  
59.37.97.93    464 pingma.qq.com  
114.80.223.177    587 interface.hdslb.net  
47.91.19.168    587 interface.hdslb.net  
222.186.35.81    587 interface.hdslb.net  
114.80.223.172    587 interface.hdslb.net  
140.205.32.8    867 sh.wagbridge.aliyun.com.gds.alibabadns.com  
114.80.223.177    1052    bilibili.hdslb.net  
47.91.19.168    1052    bilibili.hdslb.net  

These two lists can be downloaded here and here.

Take a look at both lists, you will spot lots of interesting targets. For example:

  • The regular big players such as qq,360, google, amamzon.etc
  • The game industry such as rockstargames.com, minecraft.net, playstation.net
  • The porn sites such as pornhub.com, homepornbay.com
  • The security industry such Avast.com, kaspersky-labs.com, 360.cn
  • The political related websites such as nra.org, nrafoundation.org ,nracarryguard.com, epochtimes.com
  • And the guy who always gets to see the newest ddos attack: krebsonsecurity.com :)

Victims' geo distribution:

And asn distribution:

Overall, the current victims are mainly concentrated in the United States, China (including Hong Kong, China), South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.

Honeypot Data

We set up a honeypot for this type of attack and filtered out over 37k attack instructions.

As shown in the following table, 99% of the attack instructions are based on memcache STATS directives.