Back in October of 2016, a denial-of-service attack against a service provider called Dyn crippled Americans’ Internet access on the east coast. Its servers were bombarded with a jaw-dropping amount of traffic. Some estimates believed the data rate of the attack peaked at around 1.2Tbps, which was unheard of at the time.
Last week hackers unleashed a new breed of DDoS attack. Security researchers tracked one that was nearly 50% more powerful than the one against Dyn.
At its peak, this next-gen DDoS attack was blasting a record-breaking 1.7 Tbps at its target. To put that into perspective, that’s roughly the same amount of bandwidth that flows through 13,600 gigabit high-speed Internet connections. With the average American’s high-speed link sitting at more like 18 or 19Mbps, that would translate to around 680,000 Americans using the full capabilities of their connection to flood the same website at the same time.
How did these new attacks become so powerful? Hackers have figured out how to exploit a bit of software called Memcached. It’s designed to speed up web page load times by caching big chunks of the data they need to access — which is often served up from remote database servers.
As ZDNet’s Liam Tung notes, servers that run Memcached should never be exposed to the Internet. In reality, however, there can be more than 100,000 left vulnerable at any given time.
Hacker use those exposed Memcached servers to amplify their attacks. A small amount of garbage data sent to the Memcached server results in a massive flood of data being directed at the hackers’ targets. It’s much more dangerous than, say, forcing an army of connected security cameras to bombard a website directly. Bouncing traffic off a Memcached can amplify an attack by more than 51,000 times.
The good guys are already on the case, fortunately. The Department of Homeland Security has been searching for ways to protect Americans against DDoS attacks and private companies like Alphabet and Akamai are doing everything they can, too.
Significant progress has already been made. GitHub recently faced a Memcached attack against its servers, which were only downed for around five minutes. Service was spotty for another 5 before normal functionality was restored.
Not everyone is as prepared to deal with an attack as GitHub, however. The next victim of these DDoS attacks could see significant downtime — and financial losses — as a result of hacker’s new firepower.