Memcached Servers reflection ddos attack

memcached amplify ddos attacks
memcached amplify ddos attacks


 Memcached Servers reflection ddos attack

Hackers have found a way to amplify distributed denial-of-service attacks by an unprecedented 51,000 times their original strength in a development that white hats say could lead to new record-setting assaults that take out websites and Internet infrastructure.These type of DDoS attacks are possible because of the unsecured way Memcache developers have implemented support for the UDP protocol in their product.

Furthermore, to make matters worse, Memcache servers also expose their UDP port to external connections in the default configuration, meaning any Memcache server, not behind a firewall can be abused for DDoS attacks right now.memcached amplify ddos attacks

How To Memcrashed DDoS Amplification Works?

Attackers are apparently abusing unprotected memcached servers that have UDP enabled. Similar to other amplification methods, the attacker sends a request to the targeted server on port 11211 using a spoofed IP address that matches the IP of the victim. The request sent to the server is just a few bytes, but the response can be tens of thousands of times bigger, resulting in a significant attack.

memcached amplify ddos attacks

The largest memcached DDoS attack observed by Cloudflare peaked at 260 Gbps, but Arbor Networks reported seeing attacks that peaked at 500 Gbps and even more.

Cloudflare Say’s about Memcrashed DDoS

“I was surprised to learn that memcached does UDP, but there you go!” said CloudFlare’s Marek Majkowski. “The protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”

Arbor Networks noted that the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.

How to protect Memcached  DDoS Servers?

The system administrators of Memcached servers can protect them in one of the following ways:

memcached amplify ddos attacks

  • Update the configuration of the server to listen only on (localhost), if the memcached server is used only locally and there are no external connections to the server. You can do this with the option –listen
  • Disable UDP support, if you are not using it. You can do this with the option -U 0
  • Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need

Have a question? Ask us in the comments.