In less then ten days, Memcache DDoS attack has come out of nowhere and really captured lots of attentions within the security community. When we look at the news, we see all sort of reports but hardly can get a good idea what the real situation is, for example the most important question, how many victims are out there? And how big the attack army is?
Our team has been running the free ddosmon platform for quite some time and with all the massive amount of network data we have good visibility into the ddos world, so, in this blog, we will provide our insights.
The General Trend
In our previous blog we mentioned that there had been hardly any Memcache DDoS attacks in the last 9 months since our 360 0kee team publicly disclosed this vulnerability. However, since 2018-02-24, the frequency of attacks has increased dramatically. As shown in the following two figures:
We can roughly divide this period of time into the following stages.
- Prior to 2018-02-24, the daily average was less than 50 attacks.
- The first stage: 02-24 ~ 02-28, an average of 372 attacks per day
- Stage 2: 03-01 ~ 03-05, average daily 1938 attacks
- 03-08, 721 attacks already took place today, with 12 more hours to go
The above figure is the number of daily active reflectors. That is, these memcache servers actually participated in real attacks. After the rapid growth on Feb 24, 2018,, the number of daily active reflectors has been stable.
We also took a real test on the 15k active reflectors on Mar 07. Roughly 15% of them respond to the "stats" command we request and thus indeed have the ability to engage in actual attacks.
In this case, the ratio at 15% looks a bit low. Maybe more tests needed to understand the situation.
In the past ten days, quite a few popular websites became victims of this DDoS attack. For example, in github around Feb 28 17:20 UTC suffered a DDoS attack, the peak flow rate reached 1.35Tbps, according to akamai and github.
Correspondingly, our DDoSmon platform observed two attacks against github, . The former is the one publicly documented.
- Victim IP: 22.214.171.124
- Occurred at: 2018-03-01 14:26:22 GMT +8 and 2018-03-02 01:13:44 GMT +8 respectively
- Source Port: UDP 11211 source port
- Attack Type: tagged as "udp@attack@amp_flood_target-MEMCACHE"
All these technical features are consistent with github's public documents.
Next, let’s take a look at the most recent 7 days of data on DDoSMon for some detailed breakdown.
In just 7 days, our DDoSmon platform logged:
- 10k attack events
- 7131 unique victim IP addresses
In order to make the result more readable, we use our PDNS system to map the victim IPs back to their dns names. Within them, 981 (13%) have recently (within a week) resolvable domain names, and 15k (22%) have historically had domain names.
For all the targets above which have dns names, we checked Alexa top 1m domain list and our Float top 1m to generat two lists.(Float is our internal domain popular ranking system with a focus visits mainly in China.)
Here is a snip for alexa(please bear in mind that we use the most recent PDNS to map the IPs, also we only keep the SLD, not the whole FQDN, so attack against a.com is mostly like attack against subdomains such as zyx.a.com, not necessary a.com itself.
target_ip rank belongs to sld 126.96.36.199 9 qq.com 188.8.131.52 9 qq.com 184.108.40.206 21 360.cn 220.127.116.11 32 pornhub.com 18.104.22.168 74 github.com 22.214.171.124 74 github.com 126.96.36.199 74 github.com 188.8.131.52 74 github.com 184.108.40.206 80 pinterest.com 220.127.116.11 112 googleusercontent.com
Snip for float
target_ip rank fqdn 18.104.22.168 12 www.a.shifen.com 22.214.171.124 21 mp.weixin.qq.com 126.96.36.199 464 pingma.qq.com 188.8.131.52 587 interface.hdslb.net 184.108.40.206 587 interface.hdslb.net 220.127.116.11 587 interface.hdslb.net 18.104.22.168 587 interface.hdslb.net 22.214.171.124 867 sh.wagbridge.aliyun.com.gds.alibabadns.com 126.96.36.199 1052 bilibili.hdslb.net 188.8.131.52 1052 bilibili.hdslb.net
Take a look at both lists, you will spot lots of interesting targets. For example:
- The regular big players such as qq,360, google, amamzon.etc
- The game industry such as rockstargames.com, minecraft.net, playstation.net
- The porn sites such as pornhub.com, homepornbay.com
- The security industry such Avast.com, kaspersky-labs.com, 360.cn
- The political related websites such as nra.org, nrafoundation.org ,nracarryguard.com, epochtimes.com
- And the guy who always gets to see the newest ddos attack: krebsonsecurity.com :)
Victims' geo distribution:
And asn distribution:
Overall, the current victims are mainly concentrated in the United States, China (including Hong Kong, China), South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.
We set up a honeypot for this type of attack and filtered out over 37k attack instructions.
As shown in the following table, 99% of the attack instructions are based on memcache STATS directives.