Memcached is a tool used to cache data and lessen strain on large data stores, such as disk or databases. The memcached protocol involves the server being queried for information about key value stories. It was built to be used on systems that are not exposed to the Internet. No authentication is required with memcached. If a memcached server is connected to the Internet, the protocol can be abused very easily.
The attack is similar to all other amplification attacks. Initially, an attacker capable of spoofing IP addresses sends fake requests to a vulnerable UDP server. The UDP server, unaware the request is fake, prepares the response. When thousands of responses are sent to an unsuspecting target host, this overwhelms its resources, and sometimes crashes the network. Amplification attacks are effective as the response packets are usually much bigger than the request packets. A thoughtfully prepared technique can see an attacker with highly limited IP spoofing capacity e.g. 1 Gbps, able to launch massive attacks (up to 100 Gbps) “amplifying” their bandwidth.
A discovery of a new amplification vector, such as this memcached UDP DDoS, happens rarely. Cloudflare says that “the protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”
Cloudflare also described the ease of launching such an attack. First, you implant a large payload on an exposed memcached server; then you to spoof the “get” request with target Source IP. There is a huge amplification factor.
Cloudflare says that there are vulnerable memcached servers worldwide, in particular in North America and Europe, located in major hosting providers.
According to Akamai, there are currently more than 50,000 known vulnerable systems exposed. Security firm Rapid7 puts the figure even higher at “well over 100,000 exposed memcached servers at any time”. Security firms are advising people using such memcached servers to immediately remove them from Internet access.
Memcached listens only on localhost on TCP and UDP port 11211 on most versions of Linux, however, in some distributions it is configured to listen to this port on all interfaces by default.
To prevent future attacks, Cloudflare advisers users employing memcached to immediately disable UDP support if it is not being used. They also warn users to ensure that memcached servers are firewalled from the Internet, and share a test to find out if they can be accessed using UDP or not. In terms of the bigger picture, Cloudflare says that in order to defeat future such attacks, “we need to fix vulnerable protocols and also IP spoofing”, adding “as long as IP spoofing is permissible on the Internet, we’ll be in trouble”. Finally, they urge developers to stop using UDP, and if they do use it, to ensure that it is not enabled by default.