A new way to amplify DDoS attacks has targeted Google, Amazon, Pornhub and even the National Rifle Association's main website after striking Github last week.
The attacks, which exploit vulnerable "memcached servers," have been trying to hose down scores of new targets with a flood of internet traffic, according to Chinese security firm Qihoo 360.
The goal is to knock them offline. Github was the first high-profile victim and suffered a 1.35 Tbps assault —or what was then the biggest DDoS attack on record. But days later, an unnamed US service provider fended off a separate assault, which measured at 1.7 Tbps.
Unfortunately, the amplified DDoS attacks haven't stopped. They've gone on to strike over 7,000 unique IP addresses in the last seven days, Qihoo 360 said in a blog post. Most of the targets have been based in the US and China. Gaming sites including Rockstargames.com, Minecraft.net, and Playstation.net have been among those hit.
In addition, the DDoS attacks have bombarded at least three different NRA-related sites and the web address for the Epoch Times, a Chinese-American newspaper known for anti-communist coverage. Who's behind these attacks isn't known, but the variety of targets suggests multiple actors are at work.
DDoS protection provider Radware agreed with the findings from Qihoo 360; it too has noticed the assaults blasting different targets left and right. Many of these attacks are reaching between 500 Gbps to 1 Tbps, according to Radware security researcher Daniel Smith. But the good news is that they rarely last.
Both internet service providers and websites are starting to filter out and blacklist the attack traffic, given that it arrives over a certain networking port, he said. Others like Google and Amazon are designed to handle huge loads of incoming data.
The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Smith said.
That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.
He's also noticed another worrisome development. On Tuesday, a major DDoS attack provider, Defcon.pro, began selling attacks powered by memcached servers. The platform has over 11,000 registered users and it's encouraging all of them to test out the new function.
"It's really a race to patch the memcached servers before they become so widely used that everyone has access to them," Smith said.
Qihoo 360 has a site with real-time info on the ongoing asssaults. It's so far recorded about 15,000 attacks since they began late last month.