We have a new record for the largest DDoS attack ever detected. The new high mark is 1.3 Tbps (Terabits-per-second).

The attack took place yesterday, targeted a software development company, and was detected and mitigated by Akamai. [UPDATE: It's GitHub.]

Attackers executed the attack using a vulnerability in Memcached servers that was made public two days ago.

Attacks powered by Memcached servers

The vulnerability resides in the UDP protocol implementation of Memcached servers that amplify incoming packets with a factor of over 50,000 times. For example, an incoming Memcached request of 203 bytes results in a response weighing around 100 megabytes.

The vulnerable port on which attackers can amplify packet sizes and redirect the packets towards victims is port 11211. Memcached servers expose this port in default configurations.

There are over 93,000 Memcached servers currently connected online that can be abused for this type of DDoS attack, and this seems to be exactly what happened yesterday.

Despite having a whopping size of 1.3 Tbps, Akamai said it mitigated the entire attack. Akamai now expects to see similar Memcached-driven attacks on a regular basis.

Previous Memcached-based DDoS attacks

New evidence also suggests it was Qihoo 360 researchers from the 0Kee Team who discovered the Memcached DDoS attack vector in late 2017. While their findings were never highly publicized, somebody appears to have found their research paper.

As Akamai warns, the size of these attacks is going up, and it might soon reach even bigger numbers.

In fact, this is what appears to be happening. DDoS attacks leveraging the Memcached vulnerability started over the weekend. Cloudflare reported mitigating the first such attacks, which reached 260 Gbps, on Monday, February 26.

Qrator Labs then reported mitigating another Memcached-based DDoS attack that reached over 500 Gbps, followed by the one that Akamai detected of 1.3 Tbps.

In their research paper, the 0Kee team estimated Memcached servers could be abused to launch DDoS attacks of around 2 Tbps.

The previous DDoS attack record was of 1 Tbps, suffered by French hosting provider OVH in the autumn of 2016. That DDoS attack was carried out with the first version of the Mirai IoT malware, and was extremely hard to mitigate because it contained more varied packets that originated from random ports.

Article updated shortly after publication with the information that GitHub was the victim of the 1.3 Tbps attack.