Vulnerable Memcached Servers abused in large Amplify DDoS attacks

Check to see if you are vulnerable to the Memcached DDoS Deluge attack

Attackers exploiting Memcached Servers in Large DDoS

Attackers have a found a way to exploit the Deluge vulnerability first described by 0Kee Team in 2017 presentation.

It is possible for the attackers to abuse the User Datagram Protocol (UDP) port 11211 in the attack.

It has given the attackers a new very highly effective technique in their DDoS arsenal by as much as 51,200x in abusing misconfigured memcached servers widely accessible on the public internet.

Cloud reported on Tuesday 27 Feb 2018 an high increase in UDP port 11211 traffic amplified by Memcached servers.

Memcached servers are a specific type of server that is being used to increase responsiveness of large database driven websites.

The Memcached server improves  the memory caching system for increased performance.

It has been warned about in the past that amplification attacks are happening on the Internet.

Earlier examples of SSDP amplifications crossing 100Gbps speeds

Cloudflare has reported being under a 196Gbps SSDP attack earlier.

How do all amplification attacks really work?

The idea of all amplification attacks is the same.

An attacker that is IP spoofing is sending forged requests to a vulnerable UDP server in this case the Memcached server with UDP port 11211 open.

The UDP server is not aware of that the request is forged and therefore it politely prepare the response back.

Then when thousands of responses are delivered to an unsuspecting target host it will exhaust its resources.

 In the request attack it was mostly coming from AS16276 - OVH - Digital Ocean - AS7684 - Sakura.

Amplification attacks can be very effective due to the response packages coming back are larger that the request packets being send in the first place.

Even an attacker with limited IP spoofing capability with just a 1Gbps can launch very large attacks reaching 100s of Gbps amplifying the attackers bandwidth largely.

How to find out if you are vulnerable to attacks?

How to find out if you have open vulnerable Memcached servers on your network?

 A specific case of a 15 bytes of request can trigger a 134KB of response.

Other examples includes an amplification factor of 10,000x! According to Cloudflare it is reported 15 byte request result in a 750kB response (that's a 51,200x amplification).

There are vulnerable Memcached servers reported all across the world.

Highest concentration is found in North America and in Europe though.

Attackers can easily find open vulnerable servers with popular search engines such as Shodan.

At this time more than 5729 unique vulnerable servers openly accessible on the internet has been reported.

How to block this type of attack on your network?

It is recommended to use UDP carefully in applications and with a high security programming in mind.

Setup a UTM FIrewall that can block this type of attacks.

The Protector UTM Firewall can block this type of attacks

Block all un authenticated UDP traffic.