Story image

Updated: Cyber attackers flood memcached servers with amplified DDoS attacks

02 Mar 2018

Misconfigured memcached servers on internet data center (IDC) networks are being increasingly abused to conduct amplification attacks around the globe, with many vulnerable servers across Asia Pacific, Europe and North America.

Security teams at Cloudflare, Qihoo and Arbor Networks picked up the increase in attacks using the memcached protocol, which are originating from UDDP port 11211.

On March 2, Akamai detected a 1.3Tbps DDoS attack against one of its customers as a result of memcached reflections - the largest the company has ever seen.

Arbor Networks defines memcached as an in-memory database caching system often deployed in IDC, cloud and Infrastructure-as-a-Service networks to improve performance of database-driven websites and other internet services.

Ideally memcached should not be exposed to public internet but there are many deployments that leave the systems open and with the default insecure configuration.

The attacks use the misconfigured servers to launch high-volume UDP reflection-amplification attacks. It does this by spoofing an IP and sending thousands of requests to a server. That host server cannot handle the requests and the process often crashes the server itself.

Those attacks are getting bigger, according to Arbor Networks, which says there has been in increased in memcached attacks, some reaching as much as 500gb/sec and larger.

“Amplification attacks are effective, because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) "amplifying" the attacker's bandwidth,” Cloudflare explains further.

In some cases, a request of just 15 bytes triggered a response of 750kB – an amplification of 51,000 times.

Cloudflare has registered 260Gbps of inbound UDP memcached traffic, a figure the company describes as a ‘massive’ amplification vector.

Arbor believes that while memcached attacks may have been the work of skilled hackers in the past, they have now been weaponised and made available through the use of DDoS for hire botnets so attackers of all skill levels can now take advantage.

“Due to the nature of both the memcached service/protocol implementation as well as the prevalence and high bandwidth typically available to memcached reflectors/amplifiers, it is critical that network operators take proactive measures to ensure they are prepared to detect, classify, traceback, and mitigate these attacks, as well as ensure that any memcached installations on their networks and/or networks of their end-customers cannot be exploited as reflectors/amplifiers,” Arbor explains.

Cloudflare warns developers to stop using UDP. If there is a need for it, developers should not enable UDP be default. System administrators should ensure memcached servers are firewalled from the internet.

Cloudflare is also calling on internet service providers to help track attackers by finding out where the queries came from.

Akamai says it is working with peers and industry partners to help organisations use Best Common Practices and memcached remediation to reduce the risk to the internet.

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.