Abstract
Distributed and reflective denial-of-service (DRDoS) attacks have been one of the most devastating and harmful threats on the Internet. By abusing open Internet services such as DNS and NTP, attackers can boost traffics without revealing their IP addresses. In the case of Memcached DRDoS attacks, adversaries often set large caches on amplifiers using TCP requests before launching the attack, which gives us hints on the IP addresses of the attack infrastructure. In this paper, we trace back the anonymous attack to their origins and investigate their attack infrastructure. During the 15 months of monitoring (September 2018 to November 2019) via eleven honeypots, we observed 820,729 Memcached DRDoS attacks. Out of them, 370,795 attacks were associated with TCP set requests, and 127,771 attacks were associated with UDP set requests. We found 199 unique IP addresses in 54 ASes used to set the large caches for these attacks and that attackers keep using the same large caches or even borrow the cache set by someone else. This implies a relatively small number of threat actors compared to the vast number of attacks. In the case of hotspots where setters are concentrated, the attack infrastructures had functionalities such as scanners to find amplifiers, setters to prepare the attacks, and launchers to generate the DDoS traffic. By conducting a TTL-based trilateration analysis, we found that 7,407 attacks originated from the setters, indicating 16.6% of the setters also worked as launchers.
Finally, we confirmed that there were still over 15,000 amplifiers in the wild scattering over 1,000 ASes. This result suggests that the threats of Memcached DRDoS attacks will continue to exist, and our analysis of the attack infrastructures could provide helpful information to take practical actions such as takedowns. We have provided the obtained results on the attack infrastructures to our national CERT.
M. Kondo and N. Shintani—This work was done while researching at the University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The term amplification factor stands for the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [10].
References
Amppot: Honeypot for monitoring amplification ddos attacks | datasets. https://sec.ynu.codes/dos/datasets
Censys. https://censys.io/
Cve-2018-1000115 detail. https://nvd.nist.gov/vuln/detail/cve-2018-1000115
Memcached–a distributed memory object caching system. https://memcached.org/
Ripe atlas. https://atlas.ripe.net
Akamai SIRT Alerts. Memcached-fueled 1.3 tbps attacks. https://securityboulevard.com/2018/03/memcached-fueled-1-3-tbps-attacks/
Büscher, A., Holz, T.: Tracking DDoS attacks: insights into the business of disrupting the web. In: Proceedings of the 5th USENIX LEET, LEET 2012 (2012)
Welzel, A., Rossow, C., Bos, H.: On measuring the impact of DDoS botnets. In: Proceedings of the 7th European Workshop on Systems Security, EuroSec 2014 (2014)
Collier, B., Thomas, D.R., Clayton, R., Hutchings, A.: Booting the booters: evaluating the effects of police interventions in the market for denial-of-service attacks. In: Proceedings of the 2019 Internet Measurement Conference, IMC 2019 (2019)
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security Symposium, NDSS 2014 (2014)
Kopp, D., Dietzel, C., Hohlfeld, O.: DDoS never dies? An IXP perspective on DDoS amplification attacks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 284–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_17
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. 34(2), 39–53 (2004)
Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet denial of service: attack and defense mechanisms. In: Perlman, R. (ed.) Computer Networking and Security Book Series (2004)
Krupp, J., Backes, M., Rossow, C.: Identifying the scanners and attack infrastructure behind amplification DDoS attacks. In: Proceedings of the 23rd ACM Conference on Computer and Communications Security, CCS 2016 (2016)
Santanna, J.J., De Schmidt, R.O., Tuncer, D., De Vries, J., Granville, L.Z., Pras, A.: Booter blacklist: unveiling DDoS-for-hire websites. In: Proceedings of the 2016 12th International Conference on Network and Service Management, CNSM 2016 (2016)
Santanna, J.J., Durban, R., Sperotto, A., Pras, A.: Inside booters: an analysis on operational database. In: Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2015 (2015)
Bai, K.: Analysis and prevention of Memcache UDP reflection amplification attack. Int. J. Sci. 5(3), 297–302 (2018)
Kramer, L., et al.: Amppot: honeypot for monitoring amplification DDoS attack. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2015 (2015)
Singh, K., Singh, A.: Memcached DDoS exploits: operations, vulnerabilities, preventions and mitigations. In: Proceedings of the 2018 IEEE 3rd International Conference on Computing, Communication and Security, ICCCS 2018 (2018)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attack. In: Proceedings of the 23rd USENIX Security Symposium, USENIX 2014 (2014)
Jonker, M., Pras, A., Dainotti, A., Sperotto, A.: A first joint look at DoS attacks and BGP blackholing in the wild. In: Proceedings of the 2018 Internet Measurement Conference, IMC 2018 (2018)
MaxMind: GeoIP2 database. https://www.maxmind.com/
Karami, M., McCoy, D.: Understanding the emerging threat of DDoS-as-a-service. In: Presented as part of the 6th USENIX Work- shop on Large-Scale Exploits and Emergent Threats (2013)
Morales, C.: 1 Terabit DDoS attacks become a reality; reflecting on five years of reflections. https://www.netscout.com/blog/asert/1-terabit-ddos-attacks-become-reality-reflecting-five-years
Morales, C.: Netscout arbor confirms 1.7 Tbps DDoS attack; the terabit attack era is upon us. https://www.netscout.com/blog/asert/netscout-arbor-confirms-17-tbps-ddos-attack-terabit-attack-era
Nivedita, M., et al.: Memcached: an experimental study of DDoS attacks for the wellbeing of IoT applications. Sensors (Basel) 21(23), 8071 (2021)
Nishtala, R., et al.: Scaling Memcache at Facebook. In: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2013 (2013)
Kumar, S.: Smurf-based distributed denial of service (DDoS) attack amplification. In: Proceedings of the of the Second International Conference on Internet Monitoring and Protection (ICIMP 2007) (2007)
Farsight Security: Dnsdb. https://www.dnsdb.info/
Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., Feldmann, A., Berger, A.: Inferring BGP blackholing activity in the internet. In: Proceedings of the 2017 Internet Measurement Conference, IMC 2017 (2017)
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. 31(3), 38–47 (2001)
Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: Proceedings of the of the 23rd USENIX Security Symposium, USENIX 2014 (2014)
Acknowledgements
A part of this research was conducted in “WarpDrive: Web-based Attack Response with Practical and Deployable Research Initiative” project, supported by the National Institute of Information and Communications Technology, Japan. A part of this research was conducted in “MITIGATE” project among “Research and Development for Expansion of Radio Wave Resources (JPJ000254)”, supported by the Ministry of Internal Affairs and Communications, Japan. A part of this research was supported by JSPS KAKENHI Grant Numbers 21H03444.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kondo, M., Tanabe, R., Shintani, N., Makita, D., Yoshioka, K., Matsumoto, T. (2022). Amplification Chamber: Dissecting the Attack Infrastructure of Memcached DRDoS Attacks. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-09484-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09483-5
Online ISBN: 978-3-031-09484-2
eBook Packages: Computer ScienceComputer Science (R0)