In the past few days, a new attack method – Memcrashed has caused denial of services for many websites . Hackers have been exploiting the vulnerability of Memcached protocol as their volumetric, reflective, amplification attack tool.
Memcached is an open-sourced, high-performance, distributed, memory object-caching system, which is intended for use in speeding up dynamic web applications by alleviating database load. Memcached is powerful, easy to deploy, yet does not have native authentication – hence easy to abuse. While Memcached servers were never meant to be available over the public internet, they often are.
Since last week, hackers found legitimate Memcached servers on the Internet, and used them to launch the UDP-based, reflection attack. The attack set the new record for the biggest DDoS ever detected. This is due to the massive amplification factor of Memcached where a 203 byte request can result in 100MB response of reflected traffic. While other common reflected DDoS attack methods, such as DNS, NTP, Chargen, or SSDP amplification, have amplification ratio like one to hundreds, Memcached DDoS allowing a maximum 1 to hundreds of thousands of amplification ratio. The amplification ratio makes it a worst ever amplification attack.
The source IP spoofing technique also worsen the threat. The attackers send lots of Memcached get requests, via 11211 UDP protocol port, with spoofed source IP addresses to the target servers. Once the target server receives a memcached get request, it sends a response over the Internet in a stream of multiple much larger UPD packets to the spoofed IP addresses. The source spoofing hence not only masks the attacker location, but also stages a reflected assault.
Memcached DDoS can easily overflow the target servers’ as well we the reflected attack victims’ bandwidth limits. When DDoS attacks reach this level of sheer volume, it will need to look into the Internet service providers for an in-cloud DDoS detection and mitigation service.
Last week, in many of our service provider customers’ site, GenieATM helped monitor and analyse this Memcached DDoS attack. It has been monitoring the service provider’s whole network infrastructure for the 11211 UDP protocol port traffic. GenieATM alerted on the anomalous Memcashed traffic rate deviating from its normal traffic baseline. In addition to the monitoring and alerting, GenieATM provides rich traffic attribute reports of the attack to offer users insights including the target servers and the reflective attack victims. It helps the service providers notify the vulnerable servers to reinforce the security measures, and mitigate the volumetric reflective attack traffic to avoid bandwidth abusing. To date, many of our telecom customers have reported that GenieATM plays an important role in helping them monitor and respond to the Memcached DDoS attack.
