Abuse of Memcached Servers for Massive Amplification of DDoS Attacks

Memcached is an open-source software which serves as a cache of the web content. Its aim is to speed up the web applications by caching often used items in memory and thus alleviate the database load. It increases the site performance and the total scalability of web applications. The cache of the web content is used by many web portals including the giants as YouTube, Twitter or Facebook. Using Memcached can speed up data storage and network data transfer.

Memcached server on the transport layer uses connection-oriented TCP protocol or non-connection-oriented UDP protocol on port 11211. In basic configuration, however, UDP protocol is used without any authentication or verification of source IP addresses. In case Memcached server is configured incorrectly and is accessible via Internet, it might be weaponized by attackers to amplify DDoS attacks. In an attacked system attackers store big data objects and subsequently send foisted requests to access these objects from a forged IP address of a victim. The server evaluates the incoming requests as requests from IP address of a victim and starts to send off large volumes of data to saturate effectively network means of a victim. Amplification factors of DDoS attacks via Memcached are up to 51,000, meaning that for each byte sent by the attacker, up to 51KB is sent toward the address of a victim.

The mechanism described above was abused for launching of a massive DDoS attack on the website GitHub.com, which happened in the evening on 28 February 2018.. According to representatives of GitHub.com the attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints and denied access to services for 9 minutes. It was an amplification attack utilising the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second. Historically, it is the second most massive DDoS attack recorded so far and its intensity exceeded by more than twice the intensity of DDoS attacks launched by botnet Mirai in 2016. The most massive DDoS attack ever recorded was reported by Arbor Networks Company at the beginning of March 2018. In the statement the company declared that the data flow peaked at 1.7Tbps.

The following table compares the amplification factors in case of abuse of different protocols.

Protocol Bandwidth Amplification Factor
BitTorrent 3.8
CLDAP 56 až 70
DNS 28 až 54
CharGE 358.8
Kad 16.3
LDAP 46 až 55
Memcached 10,000 až 51,000
Multicast DNS (mDNS) 2 až 10
NetBIOS 3.8
NTP 556.9
Portmap (RPCbind) 7 až 28
QOTD 140.3
Quake Network Protocol 63.9
RIPv1 131.24
SNMPv2 6.3
SSDP 30.8
Steam Protocol 5.5
SOURCE: https://www.us-cert.gov

Memcached Server Security
Memcached servers should not be accessible publicly via Internet. The basic system security includes firewall deployment which shall limit the access to server only from the local network and shall block external network communication at UDP port 11211. If it is not necessary to use UDP protocol on server, it is recommended to deactivate it in the server settings and to use connection-oriented TCP protocol.

Despite the large volumes of data used by attackers to saturate their victims, it is still a DoS attack and it is possible to use standard countermeasures and methods of defence against them. The most used are IPS systems (Intrusion Prevention System), IDS systems (Intrusion Detection System), load balancers, data flow scrubbing, firewall solutions, access control lists (ACL) and many others. The most effective defence is the combination of several methods mentioned above whereas it is important to take into account the nature and objectives of the attack.

If you use Memcached in your network infrastructure,

  • Set up firewall rules on Memcached server to ensure it is accessible only from IP addresses from trusted network.
  • Set up similar rules also on perimeter firewalls.

If you are a victim of the attack, use services of any biggest world centres providing protection against DDoS attacks. It is supposable that due to a large amplification effect protection by technical means on the victim’s side would not be effective.

If you have become a victim of cyberattack, please let us know through our contact form.


« Späť na zoznam