Search
Appgate SDP

Appgate SDP Overview

Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.

How Appgate SDP Works

Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.

Zero Trust Platform
Integrations and Tech Partners
Appgate SDP for Developers
Use Cases for Securing:
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
SECURE NETWORK ACCESS

Jason GarbisMarch 1, 2017

Read My Lips: Don't Be a Botnet

Read My Lips: Don't Be a Botnet


These days, most organizations are aware that they can be the target of a DDoS attack. They've put in place protections to keep their public-facing websites up in the face of such attacks. But far fewer think about the potential for their servers to be harnessed for use in a botnet, the group of servers used to conduct DDoS attacks. That's because to date, attackers have only been able to use publicly available services, like DNS resolution servers, to launch and amplify DDoS attacks.

This week though, researchers discovered that attackers are abusing a previously obscure method that delivers attacks over 50,000 times their original size, the biggest amplification method ever used. The vector is memcached, a database caching system that speeds up networks and websites. In other words, if you're running memcached, you're now a very likely target to become part of a botnet. Should you become part of said botnet, it's likely that both your servers and your upstream Internet provider will fail. Exciting times, right?

These attacks work because certain UDP based services – memcached in particular – often respond to a small request with a very large response. By using a spoofed source IP address in the UDP request, the attacker can redirect these large responses to their target’s IP address. So what should you do to avoid being assimilated into a Borg-ish botnet? Three things:

  1. Take inventory of any Internet-facing servers, and ensure that memcached is not inadvertently enabled
  2. For any internet-facing servers that require memcached, consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets. This will prevent attackers from being able to harness these servers in a DDoS attack, and leverage them to amplify those attacks
  3. Also look at internal servers that are running memcached – an internal denial-of-service attack could also be launched from some locally-running malware


We'll be continuing to monitor this story as it develops. We expect to see some incredibly large DDoS attacks get executed in the coming days and weeks with this capability. Cloudflare, said the attacks they're seeing come from fewer than 6,000 memcached servers that are reachable on the Internet. But ArsTechnica reported that searches show there are more than 88,000 such servers - a sign that attacks may get much bigger. Organizations should move quickly to address the steps above, to avoid being part of this wave.

Ready to learn more about a Software-Defined Perimeter? Click here

Receive News and Updates From Appgate