Overwhelming attack sets new record.

Overwhelming attackAn overwhelming attack on a customer of a US service provider a few days ago has set a new record for the sheer volume of data used in the attack. We’ve seen records set last year, but this new one is enormous. At it’s peak, it is reported to have hit 1.7Tbps. For those of you unfamiliar with internet speed measurements, this would be equivalent of 18,000 eirFibre broadband customers using their full internet 100Mbps speed to download data at the exact same time. All of that data would be pointed at a single service.

What is the source of this overwhelming attack?

A vulnerability was discovered recently with certain servers that are exposed to the internet. If a certain type of packet was sent to the server with a small amount of data, the server would reply to the packet with a much greater quantity of data – in some cases up to 50,000 times more data.

Now most of you are thinking, well that would mean the server would reply to the sender with a big hunk of data and so overwhelm the bad guy.

The thing about the type of packet in question (officially known as User Datagram Protocol or UDP) is that the sender can change the source address of the packet to “spoof” where the packet came from. The vulnerable server will blindly believe that the reply should go to the victim and add lots of additional data. This is all because there is no verification of the source address when UDP packets are used.

So all the evil doer needs to do, is locate a large number of vulnerable servers, send them each a packet of data with the same spoofed source address and the servers will send a greater amount of data back to the victim address and cause an overwhelming attack on any services they have exposed to the internet. The following is a simple diagram of how this works – in this case a 1 Megabyte request gets amplified to 15 Megabytes:

Amplification attack

So what can I do if I get hit?

If you fall victim to one of these attacks, the evil doers may contact you and demand a ransom payment to stop the attack.

Your first place to call is your Internet Service Provider (ISP). They may have a facility to mitigate such attacks or they can engage a third party company to do so. These services may not be cheap however – so you’ve got to balance this cost against any ransom that may be demanded.

Bear in mind, that if you do pay the ransom once, the chances are you’ll do so again (at least one more time).

My advice is don’t pay the ransom.

Engage the good guys to mitigate the attack.

Finally report the crime to An Garda Síochána.

What? Why???

A crime was committed.

No, they probably won’t be able to do anything about it.

But the more reports that the Gardai record on cyber crime, these will begin to factor in their statistics, which will mean once the scale of cyber crime is seen, they will begin to receive an adequate budget to deal with this type of crime, which they badly need.