[SingCERT] Technical Alert on the Distributed Denial of Service (DDoS) Amplification Attacks Using Memcached

Published on Tuesday, 13 March 2018 11:21

UPDATED 13 Mar 2018: System Administrators are advised to patch their Memcached servers to version 1.5.6. This is a bugfix release, but it primarily disables the UDP protocol by default.

Background

Memcached is a free and open source distributed memory object caching system. It is often used to speed up dynamic websites by caching data object in random-access memory, reducing high latency when accessing external database.

On 27 February 2018, Cloudflare reported a significant rise in number and magnitude of distributed denial of service (DDoS) amplification attacks due to the abuse of misconfigured Memcached servers.

Affected Products

All versions of Memcached with User Datagram Protocol (UDP) port 11211 enabled over the Internet.

Impact

Attackers can exploit affected Memcached servers to conduct DDoS amplification attacks. As a result of incorrect implementation of the UDP protocol, the origin of an IP address can be spoofed easily. This means that an attacker can forge a massive number of requests over UDP to Memcached servers with a spoofed IP address of the target. The servers then respond by sending data packets many times larger than the initial request to the intended DDoS target IP, overwhelming the network bandwidth and computing resource.

Recommendations

For Memcached Users:
  • Disable UDP support if not required, with ‘-U 0’
  • Listen only to localhost by specifying ‘--listen 127.0.0.1’
For System Administrators:
  • Protect internet-facing Memcached server with a firewall
References

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
https://www.bleepingcomputer.com/news/security/memcache-servers-can-be-abused-for-insanely-massive-ddos-attacks/
https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/