Popular cache utility exploited for massive reflected DoS attacks

Using memcached? Get it behind the firewall and turn off UDP if you want to live

By Richard Chirgwin

Posted in Security, 28th February 2018 03:58 GMT

Attackers have discovered a new amplified denial-of-service attack vector, and have launched attacks reaching hundreds of gigabits per second in Asia, North America and Europe.

Former Internet Systems Consortium CEO and now Akamai principal architect Barry Raveendran Greene has detailed the reflected DOS attack on his blog and explained it can make it look like the incoming traffic comes from a service provider's router.

The attack abuses the memcached distributed in-memory caching utility, used to speed up dynamic Web applications by sharing around the database load.

The utility isn't meant to be installed on Internet-facing systems, because it has no security mechanism, but as SANS, Cloudflare, Arbor Networks and Akamai have all observed, there are a lot of memcached exposed instances out there.

As SANS' Johannes Ulrich wrote: “Apparently people are exposing memcached to the internet. For many other services, I would qualify that statement: 'without access control'. But for memcached there is no access control. This is by design.”

The mechanism attackers have used was to send memcached instances a request for statistics over UDP, apparently coming from the spoofed victim's IP address. The stats request is 15 bytes long, but the reply is between 1,500 bytes up to hundreds of kilobytes.

There's the amplification factor: 15-byte requests sent to a bunch of memcached instances, and the target is hosed.

Qrator Labs reckons it's seen attacks reach 500 Gbps.

If you're under attack, there are two things to do: block all traffic from port 11211, and if you can, get help from your ISP to block the traffic.

Operators are being asked to help block the attacks as well. A note to Australian Network Operators' Group (AUSNOG) suggests implementing Exploitable Port Filters as per these instructions.

And if you're a sysadmin whose memcached server is outside the firewall, get it inside, configure it so it doesn't listen on UDP, and strap yourself to the butt-kicking machine, because as Ulrich pointed out, the utility's config file told you not to put it on the Internet. ®

Sign up to our NewsletterGet IT in your inbox daily

7 Comments

More from The Register

Bad news, mobile operators: Unlicensed IoT tech rocketing ahead of NB-IoT and LTE-M – report

Plus global mobe mobs name Sigfox top IoT tech lag

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

I don't know which is worse

Google rushes in where Akamai fears to tread, shields Krebs after world's-worst DDoS

600 Gbps traffic flood overwhelmed CDN

'Well intentioned lawmakers could stifle IoT innovation', warns bug bounty pioneer

The pushback against regulation starts here

Gits club GitHub code tub with record-breaking 1.35Tbps DDoS drub

Memcache attacks are going to be this year's thing

Princeton research team hunting down IoT security blunders

Taming Things leaky, sneaky, or creepy

World's biggest DDoS attack record broken after just five days

Memcached attacks are going to be this year's thing

World's biggest DDoS-for-hire souk shuttered, masterminds cuffed

Webstresser.org taken down by Europol plod and chums

Behold, ye unworthy, the brave new NB-IoT logo

Logowatch And give thanks unto the GSMA