In less then ten days, Memcache DDoS attack has come out of nowhere and really captured lots of attentions within the security community. When we look at the news, we see all sort of reports but hardly can get a good idea what the real situation is, for example the most important question, how many victims are out there? And how big the attack army is?

Our team has been running the free ddosmon platform for quite some time and with all the massive amount of network data we have good visibility into the ddos world, so, in this blog, we will provide our insights.

The General Trend

In our previous blog we mentioned that there had been hardly any Memcache DDoS attacks in the last 9 months since our 360 0kee team publicly disclosed this vulnerability. However, since 2018-02-24, the frequency of attacks has increased dramatically. As shown in the following two figures:





We can roughly divide this period of time into the following stages.

Prior to 2018-02-24, the daily average was less than 50 attacks.

The first stage: 02-24 ~ 02-28, an average of 372 attacks per day

Stage 2: 03-01 ~ 03-05, average daily 1938 attacks

03-08, 721 attacks already took place today, with 12 more hours to go

The above figure is the number of daily active reflectors. That is, these memcache servers actually participated in real attacks. After the rapid growth on Feb 24, 2018,, the number of daily active reflectors has been stable.

We also took a real test on the 15k active reflectors on Mar 07. Roughly 15% of them respond to the "stats" command we request and thus indeed have the ability to engage in actual attacks.

In this case, the ratio at 15% looks a bit low. Maybe more tests needed to understand the situation.

Github attacks

In the past ten days, quite a few popular websites became victims of this DDoS attack. For example, in github around Feb 28 17:20 UTC suffered a DDoS attack, the peak flow rate reached 1.35Tbps, according to akamai and github.

Correspondingly, our DDoSmon platform observed two attacks against github, . The former is the one publicly documented.

Victim IP : 192.30.252.113

: 192.30.252.113 Occurred at : 2018-03-01 14:26:22 GMT +8 and 2018-03-02 01:13:44 GMT +8 respectively

: 2018-03-01 14:26:22 GMT +8 and 2018-03-02 01:13:44 GMT +8 respectively Source Port : UDP 11211 source port

: UDP 11211 source port Attack Type: tagged as "udp@attack@amp_flood_target-MEMCACHE"

All these technical features are consistent with github's public documents.

Next, let’s take a look at the most recent 7 days of data on DDoSMon for some detailed breakdown.

The Targets

In just 7 days, our DDoSmon platform logged:

10k attack events

7131 unique victim IP addresses

In order to make the result more readable, we use our PDNS system to map the victim IPs back to their dns names. Within them, 981 (13%) have recently (within a week) resolvable domain names, and 15k (22%) have historically had domain names.

For all the targets above which have dns names, we checked Alexa top 1m domain list and our Float top 1m to generat two lists.(Float is our internal domain popular ranking system with a focus visits mainly in China.)

Here is a snip for alexa(please bear in mind that we use the most recent PDNS to map the IPs, also we only keep the SLD, not the whole FQDN, so attack against a.com is mostly like attack against subdomains such as zyx.a.com, not necessary a.com itself.

target_ip rank belongs to sld 59.37.97.93 9 qq.com 182.254.79.46 9 qq.com 36.110.213.82 21 360.cn 216.18.168.16 32 pornhub.com 192.30.255.113 74 github.com 192.30.253.125 74 github.com 192.30.253.113 74 github.com 192.30.253.112 74 github.com 151.101.128.84 80 pinterest.com 104.155.208.139 112 googleusercontent.com

Snip for float

target_ip rank fqdn 115.239.211.112 12 www.a.shifen.com 182.254.79.46 21 mp.weixin.qq.com 59.37.97.93 464 pingma.qq.com 114.80.223.177 587 interface.hdslb.net 47.91.19.168 587 interface.hdslb.net 222.186.35.81 587 interface.hdslb.net 114.80.223.172 587 interface.hdslb.net 140.205.32.8 867 sh.wagbridge.aliyun.com.gds.alibabadns.com 114.80.223.177 1052 bilibili.hdslb.net 47.91.19.168 1052 bilibili.hdslb.net

These two lists can be downloaded here and here.

Take a look at both lists, you will spot lots of interesting targets. For example:

The regular big players such as qq,360, google, amamzon.etc

such as qq,360, google, amamzon.etc The game industry such as rockstargames.com, minecraft.net, playstation.net

such as rockstargames.com, minecraft.net, playstation.net The porn sites such as pornhub.com, homepornbay.com

such as pornhub.com, homepornbay.com The security industry such Avast.com, kaspersky-labs.com, 360.cn

such Avast.com, kaspersky-labs.com, 360.cn The political related websites such as nra.org, nrafoundation.org ,nracarryguard.com, epochtimes.com

related websites such as nra.org, nrafoundation.org ,nracarryguard.com, epochtimes.com And the guy who always gets to see the newest ddos attack: krebsonsecurity.com :)

Victims' geo distribution:

And asn distribution:

Overall, the current victims are mainly concentrated in the United States, China (including Hong Kong, China), South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.

Honeypot Data

We set up a honeypot for this type of attack and filtered out over 37k attack instructions.

As shown in the following table, 99% of the attack instructions are based on memcache STATS directives.