Cybercriminals have figured out a way to abuse widely-used Memcached servers to launch over 51,000 times powerful DDoS attacks than their original strength, which could result in knocking down of major websites along with Internet infrastructure.
In recent days, security researchers at Cloudflare, Arbor Networks, along with Chinese security firm Qihoo 360 noticed of which hackers are right now abusing “Memcached” to amplify their DDoS attacks by an unprecedented factor of 51,200.
Memcached is actually a favorite open-source along with easily deployable distributed caching system of which allows objects to be stored in memory along with has been designed to work using a large number of open connections. Memcached server runs over TCP or UDP port 11211.
The Memcached application has been designed to speed up dynamic web applications by reducing stress on the database of which helps administrators to improve performance along with scale web applications. the item’s widely used by thousands of websites, including Facebook, Flickr, Twitter, Reddit, YouTube, along with Github.
Dubbed Memcrashed by Cloudflare, the attack apparently abuses unprotected Memcached servers of which have UDP enabled in order to deliver DDoS attacks 51,200 times their original strength, doing the item the most prominent amplification method ever used within the wild so far.
How Memcrashed DDoS Amplification Attack Works?
Like various other amplification methods where hackers send a tiny request via a spoofed IP address to get a much larger response in return, Memcrashed amplification attack also works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address of which matches the victim’s IP.
According to the researchers, just a few bytes of the request sent to the vulnerable server can trigger the response of tens of thousands of times bigger.
“15 bytes of request triggered 134KB of response. of which is actually amplification factor of 10,000x! In practice we’ve seen a 15-byte request result in a 750kB response (of which’s a 51,200x amplification),” Cloudflare says.
According to the researchers, most of the Memcached servers being abused for amplification DDoS attacks are hosted at OVH, Digital Ocean, Sakura along with various other tiny hosting providers.
In total, researchers have seen only 5,729 unique source IP addresses associated with vulnerable Memcached servers, however they are “expecting to see much larger attacks in future, as Shodan reports 88,000 open Memcached servers.” Cloudflare says.
“At peak we’ve seen 260Gbps of inbound UDP memcached traffic. of which is actually massive for a brand-new amplification vector. however the numbers don’t lie. the item’s possible because all the reflected packets are very large,” Cloudflare says.
Arbor Networks noted of which the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.
however TCP is actually not currently considered a high-risk Memcached reflection/amplification vector because TCP queries cannot be reliably spoofed.
The popularly known DDoS amplification attack vectors of which we reported within the past include poorly secured domain name system (DNS) resolution servers, which amplify volumes by about 50 times, along with network time protocol (NTP), which increases traffic volumes by nearly 58 times.
Mitigation: How to Fix Memcached Servers?
One of the easiest ways to prevent your Memcached servers via being abused as reflectors is actually firewalling, blocking or rate-limiting UDP on source port 11211.
Since Memcached listens on INADDR_ANY along with runs with UDP support enabled by default, administrators are advised to disable UDP support if they are not using the item.
The attack size potentially created by Memcached reflection cannot be easily defended against by Internet Service Providers (ISPs), as long as IP spoofing is actually permissible on the internet.