Earlier this year, Akamai mitigated the largest DDoS attack in its history, fueled by a new reflector, memcached. The attack targeted one of our software clients and broke through the 1 Tbps threshold for the first time. Memcached was developed to act as a distributed memory caching system. Since the protocol uses UDP, an insecure protocol, and carries the potential for tremendous amplification, it has the key traits of a successful reflection-based attack vector. This Attack Spotlight takes a deeper look into the memcached attack vector that redefined the term "largest attack" and is the first part of our State of the Internet Security Summer 2018 report.
By default, the memcached protocol allows a specific key value to store 1 MB of data. A single UDP packet can request that the data be delivered to the DDoS target multiple times, creating a potential amplification factor in excess of 50,000 times the traffic sent. Throughout the Attack Spotlight, we explore what is possible with the default attack payload found in available attack scripts as well as what was observed during the 1.3 Tbps attack.
The Attack Spotlight has traditionally been folded within the longer State of the Internet Security publication, however, this quarter, we are publishing it a couple weeks earlier as a separate publication. You can find the full Attack Spotlight on memcached here.