• Skip to main content
  • Skip to primary sidebar

DDoS Blog

Cyber Security News

What is Memcached DDoS?

March 10, 2018 By TheNewsTeam

Memcached is a tool used to cache data and lessen strain on large data stores, such as disk or databases. The memcached protocol involves the server being queried for information about key value stories. It was built to be used on systems that are not exposed to the Internet. No authentication is required with memcached. If a memcached server is connected to the Internet, the protocol can be abused very easily.

The attack is similar to all other amplification attacks. Initially, an attacker capable of spoofing IP addresses sends fake requests to a vulnerable UDP server. The UDP server, unaware the request is fake, prepares the response. When thousands of responses are sent to an unsuspecting target host, this overwhelms its resources, and sometimes crashes the network. Amplification attacks are effective as the response packets are usually much bigger than the request packets. A thoughtfully prepared technique can see an attacker with highly limited IP spoofing capacity e.g. 1 Gbps, able to launch massive attacks (up to 100 Gbps) “amplifying” their bandwidth.

A discovery of a new amplification vector, such as this memcached UDP DDoS, happens rarely. Cloudflare says that “the protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”

Cloudflare also described the ease of launching such an attack. First, you implant a large payload on an exposed memcached server; then you to spoof the “get” request with target Source IP. There is a huge amplification factor.

Cloudflare says that there are vulnerable memcached servers worldwide, in particular in North America and Europe, located in major hosting providers.

According to Akamai, there are currently more than 50,000 known vulnerable systems exposed. Security firm Rapid7 puts the figure even higher at “well over 100,000 exposed memcached servers at any time”. Security firms are advising people using such memcached servers to immediately remove them from Internet access.

Memcached listens only on localhost on TCP and UDP port 11211 on most versions of Linux, however, in some distributions it is configured to listen to this port on all interfaces by default.

To prevent future attacks, Cloudflare advisers users employing memcached to immediately disable UDP support if it is not being used. They also warn users to ensure that memcached servers are firewalled from the Internet, and share a test to find out if they can be accessed using UDP or not. In terms of the bigger picture, Cloudflare says that in order to defeat future such attacks, “we need to fix vulnerable protocols and also IP spoofing”, adding “as long as IP spoofing is permissible on the Internet, we’ll be in trouble”. Finally, they urge developers to stop using UDP, and if they do use it, to ensure that it is not enabled by default.

Filed Under: MemCached DDoS Tagged With: Akamai, Amplification Attacks, CloudFlare, fixes, largest DDoS attack, MemCached DDoS, memcached servers, UDP server

Primary Sidebar

Directory

  • Accidental DDoS
  • Akamai
  • Arbor Cloud
  • Business Rivalry DDoS
  • China Unicom
  • Cloud Computing
  • Cloudflare
  • Corero Network Security
  • DDoS Case Studies
  • DDoS Foundations
  • DDoS History
  • DDoS Landscape
  • DDoS mitigation
  • DDoS Motivation
  • DDoS Protection Services
  • DDoS Scripts
  • DDoS Tools
  • DNS Amplification
  • DNS Flood
  • DoSarrest
  • Extortion DDoS
  • F5 Networks
  • Genie Networks
  • Google
  • Government
  • Hacktivist DDoS
  • HTTP Attack
  • ICMP Flood
  • Imperva Incapsula
  • Infrastructure-related attacks
  • IoT DDoS
  • IP Fragmentation Attack
  • IP Null Attack
  • Kentik
  • LAND attack
  • MemCached DDoS
  • Mitigation Techniques
  • Multi-vector Attack
  • Nation State DDoS
  • Neustar
  • Nexusguard
  • NTP Amplification Attack
  • Null Routing
  • PING Flood
  • Ping of Death
  • Random Recursive GET attack
  • Recursive GET attack
  • Reflection Attack
  • Script Kiddies DDoS
  • Slowloris
  • Slowloris
  • Smokescreen DDoS
  • Specially Crafted DDoS
  • SSL-based DDoS
  • SYN Floods
  • SYN-ACK Flood
  • Types of Attack
  • Types of Mitigation
  • UDP Flood
  • Uncategorized
  • Verisign
  • Verizon
  • XML-DoS
  • Zero-day DDoS Attack
Copyright © 2017 Disclaimer. Privacy Policy
All product names, logos, and brands are property of their respective owners.