Attackers Using Memcached Servers to Amplify DDoS Attacks

Multiple vendors are warning about the rise of a new type of DDoS attack that uses internet accessible memcached services to amplify the volume of attack traffic.

DDoS Amplification 2

There is a new threat vector for Distributed Denial of Service (DDoS) attacks that is now taking aim at global service providers. Multiple vendors and cloud operators are reporting that attackers are using mis-configured Memcached servers to help amplify DDoS attacks.

In an amplification or reflection attack, hackers abuse a misconfiguration in a publicly accessible internet service in an attempt to have the mis-configured service become part of the DDoS attack.  In the new memcached amplification attack, hackers are able to send large volumes of UDP traffic to produce the DDoS attack.

"At peak we've seen 260 Gbps of inbound UDP memcached traffic," CloudFlare engineer Marek Majkowski wrote on Feb. 27. "This is massive for a new amplification vector." 

Akamai reported that it has seen multiple sets of memcached reflection attacks, with some reach attack volumes of 190 Gbps. Arbor Networks reported that it is seeing memcached attacks that are even larger.

"We have observed a considerable uptick in memcached reflection/amplification attacks ranging in size from a few hundred mb/sec up to 500gb/sec and larger," Roland Dobbins, principal engineer at Arbor Networks wrote in an advisory.

Memcached is a widely used open-source tool for distributed memory object caching. It is typically deployed alongside databases as a way to help distribute processing loads and improve query response time. 

"Due to its nature as a form of organic caching middleware and its lack of access controls (unless specifically compiled with a rarely-used TLS authentication option), memcached should not be exposed to the public Internet," Dobbins wrote.

The problem though is that memcached servers have in fact been left publicly exposed. According to Akamai, there are over 50,000 known vulnerable memcached systems on the public internet. CloudFlare's analysis found that the vulnerable memcached servers were all over the world, with the highest concentrations in North America and in the Europe.

Amplification Attacks

There are multiple other DDoS amplification vectors that attackers have made use of in recent years including NTP (Network Time Protocol), which emerged as a major threat vector in 2014. Attackers have also misconfigured Domain Name Service (DNS) and Simple Service Directory Protocol  (SSDP) attacks in recent years.

What makes the memcached amplification DDoS attack particularly worrisome is the bandwidth amplification factor that the attack can deliver. 

"Previously, attackers were limited by the linear number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate between 10 and 100 times the original bandwidth," US-CERT warns in a technical alert on UDP-based amplification attacks. "The potential effect of an amplification attack can be measured by BAF (Bandwidth Amplification Factor), which can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request."

According to US-CERT a DNS reflection attack for example can deliver a bandwidth amplification factor of between 28 and 54. In contrast, the amplification factor for a memcached reflection attack is anywhere from 10,000 to 51,000.

Remediation

There are several things that can be done to help mitigate the risk of memcached reflection attacks.  The most obvious thing that should be done is for organizations to not expose their memcached services to the public internet.

Arbor Networks recommends that network operators make use of IETF Best Current Practise (BCP) source-address validation techniques which define approaches for network ingress filtering such as BCP38 w and BCP84.

"As always network operators are strongly encouraged to implement source address validation/BCP38/BCP84 in order to prevent their networks and the networks of their end-customers from being leveraged in reflection/amplification DDoS attacks," Dobbins wrote.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.