i Memcached – DDOS attacks from UDP port 11211 – All things in moderation

Memcached – DDOS attacks from UDP port 11211

Memcached Servers Abused for Massive Amplification DDoS Attacks

On March 5, Netscout Arbor Networks reported a 1.7-Tbps DDoS attack that was driven by the amplification of misconfigured memcached servers. While there were some initial fears that the attacks would continue to grow in size, the opposite has happened.

According to Cloudflare, Memcached-based reflection DDoS attacks can have amplification factors up to 51,200. The company cites recent DDoS attacks launched against its network where attackers sent 15-byte packets and Memcache servers responded with 750kB-packets in return.

So what is memcached? In this article we will learn more about memcached and the DDOS attack related to it.

What is memcache?

Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.

Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Memcached is simple yet powerful. Its simple design promotes quick deployment, ease of development, and solves many problems facing large data caches. Its API is available for most popular languages.

The Memcached application has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications. It’s widely used by thousands of websites, including Facebook, Flickr, Twitter, Reddit, YouTube, and Github.

Typical memcached Application Flowchart

The general sequence for using memcached:
1- Request the item from the cache.
2- If the item exists, use the item data.
3- If the item does not exist, load the data from server, and store the value into the cache. This means the value is available to the next client that requests it from the cache.
Using memcache will reduce the amount of work the server needs to do. Make your website run faster around 70%.

How Memcrashed DDoS Amplification Attack Works?

Memcached is a high-performance, distributed memory object caching system to speed up dynamic web applications. In this case, malicious actors take advantage of Memcached’s trait to intensify the attacks. Through the Memcached protocol, attackers are able to send over massive UDP packets including victims’ IP addresses, and then Memcached servers also response massive packets to these sources, and become a DRDoS attack.

According to the researchers, just a few bytes of the request sent to the vulnerable server can trigger the response of tens of thousands of times bigger.

How to Fix Memcached Servers?
1. Put your service on a trusted domain. Set up ACL (access control list) or add security groups if necessary. Don’t listen on 0.0.0.0 when connected to extranet.
2. Change memcached default monitor ports to prevent machine scanning and SSRF (Server Side Request Forgery) attack.
3. Update to the latest version of memcached, and use SASL password for authentication.

One of the easiest ways to prevent your Memcached servers from being abused as reflectors is firewalling, blocking or rate-limiting UDP on source port 11211.

Leave a Reply