Akamai's Prolexic platform was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by memcached.
Interesting. The impressive part is that their platform correctly identified the attack and automatically applied the solution within 20 minutes. I wonder how?
Possibly a team of smart sysadmins on standby? It's easy to detect when you're being attacked, but hard to mitigate. So whenever you get attacked, set up your site to automatically forward over to this service, and their clever humans take it from there.
Some of the most impactful tech projects are just mechanical turks, so it wouldn't be surprising. But I wonder what the truth is.
you monitor netflow for anomalies - when they occurred you change the routing via BPG to prolexic (e.g. the attacked /24) - they have huge amount of available bandwidth and hardware to filter out unwanted traffic - if you get a known attack like in this case, it's completely automated in case you want it... - your traffic is forwarded to the original destination via GRE
After the Github attack, there was a larger, 1.7Tbps DDoS against an unnamed client of Arbor Networks using the same memcached tactic. I hope someone is working on getting all those open memcached servers secured..
Maybe it's a way to test the attacker's infrastructure against a semi-hardened target?
I say "semi" because it still seems like a small-ish player, and while I do trust PM to have some very capable people handling their infrastructure, I doubt they have tens of millions in their security budget (vs e.g. Cloudflare or Google or perhaps certain banks).
Protonmail provides my only non-work email address for everything. Is it a good idea to have multiple email accounts with multiple service providers? Seems inconvenient. But then, perhaps I am taking a risk with my current set up.
SMTP is pretty resilient. Unless you have some critical process where email can’t be delayed a few hours, I wouldn’t worry about it. You could, if needed, get your own domain, and swap MX records to a different provider if something like this arises. Yandex might be a good backup. They have a pretty good, and free, service that allows you to bring your own domain.
18 comments
[ 4.3 ms ] story [ 53.5 ms ] threadThis was issued at about 11:15am eastern time.
Say you're running a website fronted by Cloudflare, for example.
I think protonmail is experiencing the same type of attack (memcached amplified)
Interesting. The impressive part is that their platform correctly identified the attack and automatically applied the solution within 20 minutes. I wonder how?
Possibly a team of smart sysadmins on standby? It's easy to detect when you're being attacked, but hard to mitigate. So whenever you get attacked, set up your site to automatically forward over to this service, and their clever humans take it from there.
Some of the most impactful tech projects are just mechanical turks, so it wouldn't be surprising. But I wonder what the truth is.
I say "semi" because it still seems like a small-ish player, and while I do trust PM to have some very capable people handling their infrastructure, I doubt they have tens of millions in their security budget (vs e.g. Cloudflare or Google or perhaps certain banks).