Abstract
In late February 2018, news spread through the mainstream media about a massive distributed denial-of-service attack on the popular software collaboration website github.com. Estimated at a rate of 1.3 Terrabit per second, this massive packet flood was the largest DDoS attack by volume to date, surpassing previous records set by the first IoT-based DDoS attacks in 2017.
In this paper, we analyze the behavior of the actors scanning and probing the Internet for presence of exploitable memcached servers that were the root cause of this attack, both before and after the media coverage. We find that the attacks of late February were preceeded by a large scale reconnaissance action a month before, and that the attacks were the result of an extended evolution of methods to find a suitable attack strategy. Furthermore, we see that the coverage about the massive DDoS attack actually triggered another wave of DDoS attacks, resulting in the large influx of new, previously unseen users who seem to be leveraging ready-made tools.
In this paper, we analyze the behavior of the actors scanning and probing the Internet for presence of exploitable memcached servers that were the root cause of this attack, both before and after the media coverage. We find that the attacks of late February were preceeded by a large scale reconnaissance action a month before, and that the attacks were the result of an extended evolution of methods to find a suitable attack strategy. Furthermore, we see that the coverage about the massive DDoS attack actually triggered another wave of DDoS attacks, resulting in the large influx of new, previously unseen users who seem to be leveraging ready-made tools.
Original language | English |
---|---|
Title of host publication | WTMC'18 |
Subtitle of host publication | Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity |
Place of Publication | New York, NY |
Publisher | Association for Computing Machinery (ACM) |
Pages | 8-13 |
Number of pages | 6 |
ISBN (Print) | 978-1-4503-5910-8 |
DOIs | |
Publication status | Published - 2018 |
Event | WTMC ’18: Workshop on Traffic Measurements for Cybersecurity - Budapest, Hungary Duration: 20 Aug 2018 → 20 Aug 2018 |
Workshop
Workshop | WTMC ’18 |
---|---|
Country/Territory | Hungary |
City | Budapest |
Period | 20/08/18 → 20/08/18 |
Keywords
- denial-of-service attacks
- memcached
- threat intelligence