In February of 2018 several organizations began publicly disclosing a trend in UDP amplified attacks utilizing exposed Memcached servers. The Memcached protocol was never intended to be exposed to the Internet and thus did not have sufficient security controls. Because of this exposure, attackers can abuse Memcached UDP port 11211 for reflective, volumetric attacks.
A Memcached amplified attack makes use of legitimate third party Memcached servers to send spoofed attack traffic to a targeted victim. Memcached, like other UDP based services (SSDP, DNS and NTP), are Internet servers that do not have native authentication and are therefore hijacked to launch amplified attacks against their victims.
A spoofed attack uses IP packets with illegitimate source IP addresses for the purpose of hiding the attackers true source IP. More ominously, by changing the source IP address of a packet, the targeted machine will send its reply packet to the false IP header address using the reply itself as a secondary attack. Those wishing to launch a DDoS attack without a large number of botnets can therefore send packets with random spoofed source IP addresses to both conceal their own origin IP address and launch volumetric attacks.
Due to the volume that can be reached with a single amplification list, attackers do not need a massive IoT botnet to launch 1Tbps+ assaults as with Mirai. At the core of the Memcached problem is the number of exposed servers on the Internet. With just under 100,000 exposed Memcached servers, it creates a prime reflector for an amplified attack.
Attack Methods
Memcached is a general purose, distributed memory caching system typically used to speed up dynamic web applications by caching data and objects in RAM and reducing backend database or API round-trips. Memcached APIs provide a large hash table (key-value) distributed across multiple systems. Most deployments of Memcached are within trusted networks where clients without authentication connect to any server. Memcached can be compiled with optional SASL authentication support but was deployed with TCP/UDP port 11211 exposed to the Internet. As a result, attackers can abuse this service to launch large-scale amplified attacks. The Bandwidth Amplification Factor (BAF) in the Memcached attack ranges between 10,000x and 52,000x, resulting in volumetric attacks that can easily reach well over 500Gbps. All the attacker has to do is scan the Internet for vulnerable Memcached servers to create an amplification list. Once the attacker has a Memcached amplification list they are able to craft a custom script to send spoofed requests to UDP port 11211 on the amplification list with the victim’s spoofed IP address. The Memcached servers will respond to the request by sending an amplified request, vastly larger than the original request, to the victims IP address. The result is pipe saturation and service degradation.
Reasons for Concern
There are two main concerns in regard to the Memcached vulnerability. The first issue is centered around the number of exposed Memcached servers. With just under 100,000 servers and only a few thousand required to launch a 1Tbps attack, the cause for concern is great. Most organizations at this point are likely unaware that they have exposed Memcached servers exposed to the Internet and it will take time to block or filter this service. Memcached servers will be vulnerable for some time, allowing attackers to generate volumetric attacks with few resources.
The second concern is the time it takes for attackers to begin exploiting this vulnerability. The spike in activity was known for several days prior to the patch and publication of the Memcached vulnerability. Within 24 hours of publication, an attacker are able to build an amplification list of vulnerable MMemcached servers and launch the world’s largest DDoS attack, a title previously held by the Mirai botnet that had enslaved hundreds of thousands of IoT devices to launch a 1.2Tbps attack.
How to Prepare
On the Memcached server side, mitigation should include disabling UDP, upgrading to the latest code version (1.5.6 as of this writing) which disables UDP by default, or enabling the optional SAML authentication. Users should install a firewall that should provide access to memcached servers only from the local network.
Administrators should also consider avoiding external traffic to the ports used by memcached (for example 11211 port used by default), and block or rate-limiting UDP or completely disable UDP support if not in use.
Goes without saying that a rapid action response team should be assigned to mitigate and fully protect assets from Memcached reflection attacks.