An increase in amplified Distributed Reflection Denial of Service (DRDoS) attacks has been observed using UDP port 11211. This is associated with memcached, a distributed memory caching system intended to alleviate database load.
Despite the fact that memcached does not authenticate requests and is not intended for Internet facing systems, nearly 100,000 such servers have been found running memcached and with UDP support enabled.
When servers running memcached have UDP port 11211 exposed to the Internet, an attacker can send them spoofed requests which appear as though they have come from the target’s IP address. The responses are therefore directed towards the target instead of the attacker, and they are 10,000-50,000 times larger than the original requests.
GitHub experienced a loss of availability when 1.3Tbps of traffic was directed to their site in one of the largest attacks of this type so far. This demonstrates the significant impact of these attacks, which do not require the considerable resources required to acquire and control a large botnet.
Memcached-based amplification/reflection attack amplifies bandwidth of the DDoS attacks by a factor of 51,000 by exploiting thousands of misconfigured Memcached servers left exposed on the Internet.
Memcached is a popular open source distributed memory caching system, which came into news earlier last week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim’s IP.
- Memcache enabled servers
To mitigate the attack and prevent Memcached servers from being abused as reflectors, the best option is to bind Memcached to a local interface only or entirely disable UDP support if not in use.
- Consider blocking or rate-limiting UDP port 11211 on Internet facing devices.
- Disable UDP support unless the memcached deployment requires it.
- Restrict memcached services to localhost if they are not required by any remote services.
- Consider the use of a third party DDoS mitigation tool.
- Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
- Have a well-established DDoS playbook to call upon when an incident occurs.
- Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.