Misconfigured memcached server DDoS threat is too powerful to be ignored

News by Davey Winder

DDoS threat actors have started to exploit a known problem with unsecured Memcache servers to launch hugely powerful attacks with little in the way of resource investment required.

DDoS threat actors have started to exploit a known problem with unsecured Memcache servers to launch hugely powerful attacks with little in the way of resource investment required. 
Multiple DDoS mitigation vendors have this week warned of spikes in reflection attacks by threat actors exploiting insecure, Internet-facing, memcached servers. The size of these attacks has been described as huge, massive and in one case insanely large. The high-bandwidth attacks have regularly exceeded 100Gbps in size, and have peaked nearer 500Gbps.

Vulnerable memcached servers are internet-facing; the default configuration exposes the UDP port (11211) to external connections. A search of the Shodan engine, which looks for Internet-connected devices, shows there are around 90,000 such memcached servers currently exposed to the potential of attack.

Ashley Stephenson, CEO at Corero Network Security, told SC Media that "memcached is vulnerable to UDP exploits due to an unnecessarily permissive wide-open default access policy allowing it to serve all requesters without prejudice." 

Memcached servers are typically deployed by cloud providers and Infrastructure-as-a-Service (IaaS) networks, as a method of boosting the performance of database-driven sites and services. Oh the irony then, that misconfigured memcached servers are being used to degrade sites and services by way of amplified DDoS attacks.

It is thought that memcached DDoS attacks have been employed manually, and very briefly in the past, by highly skilled attackers. That has now changed, and researchers believe the attack methodology has now been weaponised and made available to anyone via the security curse that is the stresser-for-hire botnet industry. As a result, researchers from ASERT, NETSCOUT Arbor's security engineering & response team, have classified the threat as critical. 

Spoofing packet origins when using the UDP protocol is silly easy for an attacker, and convincing the memcached server to send amplified response packets to a target IP is seemingly child's play. Arbor reports that it has seen such attacks in the wild ranging from 
a few hundred Mbps up to 500Gbps and larger. 

SC Media UK asked Steinthor Bjarnason, senior network security analyst with the NETSCOUT Arbor ASERT team investigating these attacks, what the practical limit to the size of these attacks? "There is theoretical limit which can easily be reached by having attacker populating the cache with large 1MB objects and then requesting as many of those in a single query" Bjarnason explains "the practical limit will be the size of the outgoing network connection from the memcached server which will very quickly fill up to its maximum."

Indeed, an Internet Data Centre with unsecured memcached servers will reach the maximum outbound capacity pretty quickly, so the outbound attack volume can be thought of as self-limiting. However, it's not all good news as Bjarnason continues "to reach attack volumes in the 100's of GBits, the attacker will have to locate a number of vulnerable servers, all with high speed connections." Given that such attack volumes (and then some) have been reported by all the DDoS mitigation networks this week, threat actors seem to be doing just that.

There is some good news in amongst the chaos though, and that's the fact this attack vector is simply "too powerful to be ignored" according to Bjarnason, who adds "the impact of this attack vector will most likely be reduced in the near future." Service providers offering connectivity to the targets of attacks are experiencing heavy inbound volume, and providers of connectivity to the memcached servers themselves heavy outbound volume. "This means that most Internet Services Providers will start blocking UDP port 11211 to protect themselves and their customers" Bjarnason concludes "unfortunately, there will always be a number of service providers which ignore basic security principles, allowing these and similar kinds of attacks to continue to be launched in the future."

Ashley Stephenson added that the threat is only expected "to top the DDoS charts for a relatively short period of time, ironically, as the more attackers who try to leverage a vector the weaker the resulting DDoS attacks as the total bandwidth of vulnerable servers is fixed and is shared across the victims." If hundreds of bad actors jump on the memcached bandwagon "this once mighty resource" Stephenson concludes "could end up delivering just a trickle of an attack to each intended victim."

Meanwhile, mitigation for enterprises concerned they might be targeted, revolves around blocking traffic from port 11211 at any point on the network edge that is feasible...

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews