Cybercriminals have come up with a way to abuse Memcached servers commonly used to launch DDoS attacks over 51,000 times stronger than their original strength, which could lead to the destruction of major websites and internet infrastructure.
In recent days, security researchers Cloudflare, Arbor Networks and Chinese security company Qihoo 360 have noticed that hackers are now abusing “Memcached” to increase their DDoS attacks with an unprecedented ratio of 51,200.
Memcached is a popular distributed and easily distributed cache system that allows you to store objects in memory and is designed to work with a large number of open connections. The Memcached servers run on TCP or UDP port 11211.
The Memcached servers are designed to speed up dynamic web applications by reducing stress on the database, which helps administrators to improve performance and increase Internet applications. It is widely used by thousands of websites, including Facebook, Flickr, Twitter, Reddit, YouTube, and Github.
Named Memcached with Cloudflare, the attack seems to be misusing unsecured Memcached servers who enabled UDP to provide DDoS 51,200 times its original strength, making it the most important amplification method ever before in nature.
How does Memcached Servers DDoS Amplification Attack work?
Like other amplification methods in which hackers send a small request from a fake IP address to get a much broader Memcache instead, the reinforcement attack response also works by sending a fake request to the target server (server susceptible to UDP) port 11211 using a fake IP address that matches the victim’s IP address.
According to the researchers, only a few bytes of the request sent to the server vulnerable to attack can trigger tens of thousands of times the answer.
“15 bytes o activated 134KB Answer: This is a gain factor of 10,000X In practice, we saw 15 bytes of request results in a 750KB response (which is a gain of 51,200x),” says Cloudflare,
According to the researchers, the majority of Memcached servers exposed to overuse of reinforcement, DDoS attacks are hosted at OVH, Digital Ocean, Sakura and other small hosting providers.
In total, the researchers saw only 5,729 unique source IP addresses associated with vulnerable Memcached servers, but expect to see much larger attacks in the future, as Shodan reports 88,000 open Memcached servers. “Cloudflare speaks.
“At the top, we’ve seen 260Gbps of Memcached UDP incoming traffic, which is a big boost for the new carrier, but the numbers do not lie, it’s possible because all rebound packages are very large,” says Cloudflare.
Arbor Networks noted that the Memcached primitive queries used in these attacks can also be routed to TCP port 11211 on incorrect Memcached servers.
However, TCP is not currently considered as a high-risk Memcached reflection vector/amplification because TCP queries cannot be falsified in a reliable manner.
Well, known vectors of DDoS attack amplification that we have reported in the past include with the resolution of DNS servers (Domain Name System) badly secured that will increase the volume by about 50 times and NTP (Network Time Protocol), increasing the volume of traffic almost 58 times.
Mitigation: how to solve problems with Memcached servers?
One of the simplest ways to prevent misuse of Memcached servers as headlights are firewalling, blocking or limiting UDP speed on source port 11211.
Because Memcached listens to INADDR_ANY and works with UDP enabled by default, administrators are advised to disable UDP support if they do not use it.
The size of the attack potentially created by the Memcached reflection cannot be easily defended by Internet Service Providers (ISPs), provided that IP spoofing is allowed on the Internet.