A long time ago in a git repository far-far away, a commit made by Brian Aker introduced a brilliant feature of the default listening to UDP traffic in memcached.
Days in between February 23, 2018, and the Monday of February 26, 2018, were marked by multiple memcached-amplification DDoS attacks across entire Europe.
As many readers of the Qrator Labs blog know, DDoS attacks target aims at different network levels. In particular, a substantial botnet presence allows an intruder to carry out attacks on the L7 (application layer) and mimic regular users. Without such a botnet the attacker is forced to limit packet attacks (any of those allowing the source address forgery at some stage of execution) to the underlying transit networks levels.
Naturally, in both these scenarios attacker tends to use some existing toolkit — just like a website developer does not write it entirely from scratch, using familiar frameworks like Joomla or Bootstrap (or something else depending on one’s skills). For example, the well-known framework for executing attacks from the Internet of Things for a year and a half is Mirai, open-sourced by its authors in an attempts to shake the FBI off the tail in October 2016.
If you are looking for services such as IP-transit, MPLS channels or DDoS mitigation you can choose from a variety of products. However, it is difficult to compare offers and companies regarding actual service quality. Some organizations compare market offers, but often they look at the market share or the company’s financial condition and other business metrics that are not necessarily relevant to the quality of a service per se. Also, most of these comparisons are not available free of charge.
Fortunately, the situation is changing. Recently we have been given an opportunity to create global scale measurements with services such as PlanetLab, NLNOG RINGand, of course, RIPE Atlas. RIPE Atlas has become the biggest measurement platform, with a rich API as the primary user interface. However, an output of API requests is not always human-readable; it still requires a set of tools on top of the API, to make data easily understandable. So we decided to work on a fix.
Moscow is famous for the traffic jams, with the governments continually fighting that particular problem. Nevertheless, the beginning of 2018 was marked with the new traffic bottleneck created with the help of BGP misdirection. At 12:01 UTC 17.01.2018, AS8901 belonging to Moscow City Government started leaking prefixes between its upstreams: the Rostelecom (AS12389) and Comcor (AS8732). Redirection peaked at 70000 affected prefixes.
