Surge in memcached-based reflected DDoS attacks is due to misconfigured servers

Massive memcached-based reflection DDoS attacks with an unprecedented amplification factor have been ongoing for the last few days, by taking advantage of memcached servers exposed to the Internet.

What is memcached?

Memcached is a distributed memory caching system and is used to speed up dynamic database-driven websites and Internet-facing services by caching data and objects in RAM.

It is often deployed in data center, cloud, and IaaS networks.

According to both Rapid7 and SANS ISC, there are currently over 100,000 exposed memcached servers on the Internet.

What’s the problem?

“The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself,” Cloudflare’s Marek Majkowski explains.

“Amplification attacks are effective because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) ‘amplifying’ the attacker’s bandwidth.”

Involving a memcached server in reflection/amplification DDoS attacks is easy: the attacker first puts in place a set of reflectors/amplifiers with arbitrary-length key/value pairs on a vulnerable memcached server, and then issues queries for them from the (spoofed) IP address of the target.

It’s not that memcached attacks were unknown before this (memcached as a possible amplification vector was pointed out last year), it’s that they have spiked in the last couple of days.

“At peak, we’ve seen 260Gbps of inbound UDP memcached traffic,” Majkowski shared.

According to US-CERT, memcached has an bandwidth amplification factor of 10,000 to 51,000, which is by far the highest when compared with that of other UDP protocols.

“Arbor’s current assessment is that, as with most other DDoS attack methodologies, memcached DDoS attacks were initially – and for a very brief interval – employed manually by skilled attackers; they have subsequently been weaponized and made available to attackers of all skill levels via so-called ‘booter/stresser’ DDoS-for-hire botnets,” Arbor Networks noted.

“The rapid increase in the prevalence of these attacks indicates that this relatively new attack vector was weaponized and broadly leveraged by attackers within a relatively short interval.”

What’s the solution?

Memcached lacks access controls by design, and that’s why it shouldn’t be exposed to the Internet.

“Attacks of the size potentially created by memcached reflection cannot be easily defended against by data center solutions, requiring the cooperation of upstream ISPs and/or cloud-based DDoS protection services,” says Akamai’s SIRT.

“Blocking port 11211 is a starting point for defenses and will prevent systems on your network from being used as reflectors. Configuring mitigation controls, like port blocking, can allow for this traffic to be handled quickly and efficiently.”

Setting the servers behind a firewall is also recommended.

Majkowski also urged developers to stop using UDP and stop enabling it by default.

“We’ve been down this road so many times. DNS, NTP, Chargen, SSDP and now memcached. If you use UDP, you must always respond with strictly a smaller packet size then the request. Otherwise your protocol will be abused,” he pointed out.

“Also remember that people do forget to set up a firewall. Be a nice citizen. Don’t invent a UDP-based protocol that lacks authentication of any kind.”