Popular cache utility exploited for massive reflected DoS attacks

Using memcached? Get it behind the firewall and turn off UDP if you want to live

By Richard Chirgwin


Attackers have discovered a new amplified denial-of-service attack vector, and have launched attacks reaching hundreds of gigabits per second in Asia, North America and Europe.

Former Internet Systems Consortium CEO and now Akamai principal architect Barry Raveendran Greene has detailed the reflected DOS attack on his blog and explained it can make it look like the incoming traffic comes from a service provider's router.

The attack abuses the memcached distributed in-memory caching utility, used to speed up dynamic Web applications by sharing around the database load.

The utility isn't meant to be installed on Internet-facing systems, because it has no security mechanism, but as SANS, Cloudflare, Arbor Networks and Akamai have all observed, there are a lot of memcached exposed instances out there.

As SANS' Johannes Ulrich wrote: “Apparently people are exposing memcached to the internet. For many other services, I would qualify that statement: 'without access control'. But for memcached there is no access control. This is by design.”

The mechanism attackers have used was to send memcached instances a request for statistics over UDP, apparently coming from the spoofed victim's IP address. The stats request is 15 bytes long, but the reply is between 1,500 bytes up to hundreds of kilobytes.

There's the amplification factor: 15-byte requests sent to a bunch of memcached instances, and the target is hosed.

Qrator Labs reckons it's seen attacks reach 500 Gbps.

If you're under attack, there are two things to do: block all traffic from port 11211, and if you can, get help from your ISP to block the traffic.

Operators are being asked to help block the attacks as well. A note to Australian Network Operators' Group (AUSNOG) suggests implementing Exploitable Port Filters as per these instructions.

And if you're a sysadmin whose memcached server is outside the firewall, get it inside, configure it so it doesn't listen on UDP, and strap yourself to the butt-kicking machine, because as Ulrich pointed out, the utility's config file told you not to put it on the Internet. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

IoT shouters Chirp get themselves added to Microsoft Azure IoT

Now your devices can join you in bellowing at Redmond's products

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Bad news, mobile operators: Unlicensed IoT tech rocketing ahead of NB-IoT and LTE-M – report

Plus global mobe mobs name Sigfox top IoT tech lag

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

I don't know which is worse

Google rushes in where Akamai fears to tread, shields Krebs after world's-worst DDoS

600 Gbps traffic flood overwhelmed CDN

IoT search engine ZoomEye 'dumbs down' Dahua DVR hijackings by spewing passwords

And noone wants to fix it

Windows 10 IoT Core Services unleashed to public preview

Gizmos gain control over Windows 10 updates - at a price

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

McAfee finds new way to break thing that shouldn't be on your home network in the first place

Microsoft's next trick? Kicking things out of the cloud to Azure IoT Edge

Open-source service sticks containers in internet of stuffs

DraftKings rides to court, asks to unmask 10 DDoS suspects

Fantasy sports outfit looks to hunt down group that bombarded its site