Four days after GitHub suffered a massive 1.3 Tbps DDoS attack, we now have a new record with a DDoS attack that clocked at 1.7 Tbps.

Detected and mitigated by Arbor Networks, this attack was aimed at a yet-to-be-identified "US service provider." Just like the DDoS attack that hit GitHub last week, this one was also carried out via Memcached servers left exposed online.

Even more Memcached servers available online

Last year, Qihoo 360 0Kee Team researchers discovered that Memcached servers could be abused for DDoS attacks be sending specially-crafted UDP packets on port 11211.

Depending on how the UDP packet was put together, the Memcached server would respond with a much larger packet, aimed at a spoofed IP address (the victim's IP).

Last week, Cloudflare researchers said they've seen Memcached-based DDoS attacks amplifying packets by a factor of 51,200 —the largest ever seen. Bleeping Computer identified at the time over 93,000 Memcached servers left exposed online, but that number has now reached over 105,000.

Attacks predicted to reach 2 Tbps

While the Memcached DDoS attack vector has been known since last November, it was only last week that Cloudflare and other major CDNs —such as Arbor and Akamai— started seeing Memcached-based DDoS attacks on a regular basis.

As last week progressed, the size of the attacks grew from 250 Gbps to 1.3 Tbps and has now reached 1.7 Tbps. Qihoo 360 researchers estimated that a Memcached-based DDoS attack could easily reach 2 Tbps, a direction that current attacks appear to be heading.

An industry source has told Bleeping Computer that the source of the attacks appear to be DDoS-for-hire services operating out of China, albeit researchers haven't identified one particular suspect by name.

Also last week, some DDoS attackers started inserting ransom demands of 50 Monero ($17,000) inside the UDP packets part of the DDoS attack, hoping that victims would analyze the DDoS flood and pay the ransom to stop the attack. Radware experts told Bleeping Computer that attackers reused the same Monero address and had no way of knowing what victim paid the ransom. Hence, it's recommended that victims don't pay any ransom demand they receive in Memcached-based DDoS attacks.