Researchers identify extortion as motive behind memcached DDoS attacks
Researchers identify extortion as motive behind memcached DDoS attacks

The adversaries who have been abusing exposed memcached servers to launch amplified distributed denial of service attacks have been including a ransom note amidst their flood of malicious packets, according to researchers from Cybereason who now suspect the actors' true motivation is extortion.

According to a Mar. 2 company blog post, the ransom note demands a payment of 50 Monero coins (XMR). The note, written in a line of Python code and repeated many times, is one gigabyte in size, suggesting that the attackers "wanted to get their message across," Cybereason reported. As of roughly noon ET on Mar. 5, 50 Monero was worth approximately $18,500.

Since late February, several research groups have been warning of an notable uptick in memcached-based DDoS attacks, which can amplify malicious traffic by a factor of tens of thousands. The most notable attack so far took place last Wednesday, Feb. 28, against GitHub, which largely withstood the record 1.35 Tbps barrage, but experienced service disruptions for about nine minutes. Cybereason said it is unknown if GitHub or any organizations have paid the ransom.

"...Using a short attack to quickly knock companies offline can greatly benefit attackers," the Cybereason post continued. "If sites can be taken down in such a brief amount of time, companies could be more inclined to pay the ransom (assuming it remains reasonable) instead of dealing with the more substantial fallout from a longer amplification DDoS attack."

Akamai Technologies, GitHub's content delivery network, mitigated the attack by filtering all traffic sourced from UDP port 11211, which is the default port that memcached servers use to communicate. A Mar. 1 blog post from Imperva reported that there there are over 93,000 misconfigured memcached servers worldwide, listening on port 11211.  Security experts are now reportedly recommending that server operators, ISPs and web hosting providers block or filter this port.

In its own Mar. 1 post, Akamai warned that since Monday, Feb. 27 "many other organizations have experienced similar reflection attacks, and we predict many more, potentially larger attacks in the near future," adding that its researchers have observed a "marked increase in scanning for open memcached servers." 

As of approximately 12:30 p.m. ET on Mar. 3, U.S.-based targets have been victimized by memcached server DDoS attacks 2,661 times, according to DDoS monitoring site DDoS Mon. China has seen the next highest number of attacks -- 1,000.