Memcached Servers reflection ddos attack
Hackers have found a way to amplify distributed denial-of-service attacks by an unprecedented 51,000 times their original strength in a development that white hats say could lead to new record-setting assaults that take out websites and Internet infrastructure.These type of DDoS attacks are possible because of the unsecured way Memcache developers have implemented support for the UDP protocol in their product.
Furthermore, to make matters worse, Memcache servers also expose their UDP port to external connections in the default configuration, meaning any Memcache server, not behind a firewall can be abused for DDoS attacks right now.
How To Memcrashed DDoS Amplification Works?
Attackers are apparently abusing unprotected memcached servers that have UDP enabled. Similar to other amplification methods, the attacker sends a request to the targeted server on port 11211 using a spoofed IP address that matches the IP of the victim. The request sent to the server is just a few bytes, but the response can be tens of thousands of times bigger, resulting in a significant attack.
The largest memcached DDoS attack observed by Cloudflare peaked at 260 Gbps, but Arbor Networks reported seeing attacks that peaked at 500 Gbps and even more.
Cloudflare Say’s about Memcrashed DDoS
“I was surprised to learn that memcached does UDP, but there you go!” said CloudFlare’s Marek Majkowski. “The protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”
Arbor Networks noted that the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.
How to protect Memcached DDoS Servers?
The system administrators of Memcached servers can protect them in one of the following ways:
- Update the configuration of the server to listen only on 127.0.0.1 (localhost), if the memcached server is used only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
- Disable UDP support, if you are not using it. You can do this with the option -U 0
- Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need
Have a question? Ask us in the comments.