Amplification Chamber: Dissecting the Attack Infrastructure of Memcached DRDoS Attacks

Distributed and reflective denial-of-service (DRDoS) attacks have been one of the most devastating and harmful threats on the Internet. By abusing open Internet services such as DNS and NTP, attackers can boost traffics without revealing their IP addresses. In the case of Memcached DRDoS attacks, adversaries often set large caches on amplifiers using TCP requests before launching the attack, which gives us hints on the IP addresses of the attack infrastructure. In this paper, we trace back the anonymous attack to their origins and investigate their attack infrastructure. During the 15 months of monitoring (September 2018 to November 2019) via eleven honeypots, we observed 820,729 Memcached DRDoS attacks. Out of them, 370,795 attacks were associated with TCP set requests, and 127,771 attacks were associated with UDP set requests. We found 199 unique IP addresses in 54 ASes used to set the large caches for these attacks and that attackers keep using the same large caches or even borrow the cache set by someone else. This implies a relatively small number of threat actors compared to the vast number of attacks. In the case of hotspots where setters are concentrated, the attack infrastructures had functionalities such as scanners to find amplifiers, setters to prepare the attacks, and launchers to generate the DDoS traffic. By conducting a TTL-based trilateration analysis, we found that 7,407 attacks originated from the setters, indicating 16.6% of the setters also worked as launchers. Finally, we confirmed that there were still over 15,000 amplifiers in the wild scattering over 1,000 ASes. This result suggests that the threats of Memcached DRDoS attacks will continue to exist, and our analysis of the attack infrastructures could provide helpful information to take practical actions such as takedowns. We have provided the obtained results on the attack infrastructures to our national CERT.