Memcached DDoS Attacks Slow Down as Patching Ramps Up

Memcached patching efforts appear to be working as the attack bandwidth size of memcached DDoS attacks are now on the decline.

DDoS Amplification 2

Days after the largest distributed denial-of-service attack in internet history, the attack size of memcached DDoS attacks is now on the decline.

On March 5, Netscout Arbor Networks reported a 1.7-Tbps DDoS attack that was driven by the amplification of misconfigured memcached servers. While there were some initial fears that the attacks would continue to grow in size, the opposite has happened.

"We're still seeing lots of them, but their average size is considerably smaller due to ongoing cleanup and mitigation efforts," Steinthor Bjarnason, senior network security analyst at Netscout Arbor, told eWEEK.

Memcached is a widely deployed open-source tool for distributed memory object caching. Attackers are taking aim at servers that have been left open and exposed to the internet, sending UDP traffic that is then reflected to a target victim. The first attacks using the memcached DDoS reflection tactic were reported at the end of February, with attacks ranging from 190 Gbps to 500 Gbps. Attack bandwidth escalated rapidly, and on March 1, GitHub was hit by a 1.35-Tbps memcached DDoS attack, with the 1.7-Tbps attack following days later, on March 5.

Arbor Networks isn't the only one seeing a reduction in the average size of memcached DDoS attacks. 

"They [memcached DDoS attacks] have reduced to the point where they are small compared to other DDoS vectors," John Graham-Cumming, CTO of CloudFlare, told eWEEK

Although memcached DDoS bandwidth attack volume has declined, other DDoS attack amplification vectors continue to persist. Graham-Cumming noted that Simple Service Discovery Protocol (SSDP)-based attacks continue occur frequently and with fairly large volumes of 200 Gbps or more every day.

Memcached Kill Switch

There are several reasons why memcached DDoS attacks have declined in recent days. Security firm Corero suggested that there is a "kill switch" for the attack, though both Graham-Cumming and Bjarnason disputed the legitimacy of that option.

"The so-called ‘kill switch’ consists of sending a 'flush_all' command to the memcached servers, instructing them to empty their cache," Bjarnason said. "This is a well-known instruction and has been part of the memcached protocol since its inception in 2003."

Bjarnason added, however, that issuing the "flush-all" command will incur the risk of negatively impacting the operation of the solution of which the memcached server is part, potentially resulting in serious operational issues. He noted that the memcached systems are also a victim of the DDoS attack as they are being abused by the attacker to participate in the DDoS attack and are in almost no cases owned or controlled by the attacker.

"There is no need to risk going with the so-called kill switch option when modern DDoS solutions are perfectly capable of defending against memcached DDoS reflection attacks, as shown by the successful mitigation of the recent 1.7-Tbps attacks," Bjarnason said.

Graham-Cumming was also skeptical about the kill-switch option, and it was not deployed at CloudFlare either.

"The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," Graham-Cumming said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization." 

Patching

A number of things have been happening outside the use the kill-switch option to help mitigate the volume of memcached attacks. Perhaps the most impactful thing is that memcached server administrators have updated their systems and configurations.

The open-source memcached project itself has an update that eliminates the attack vector. The Memcached 1.5.6 update disables the UDP protocol, which is what DDoS attackers are using to amplify attacks.

"The volume of memcached attacks will gradually decrease as access to vulnerable servers continues to be shut down," Bjarnason said. "There will, however, always be someone deploying new vulnerable servers and services on the internet, so these kinds of attacks will be part of the internet for the foreseeable future."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.