What is A Memcached DDoS attack and How to Mitigate It

On February 28, 2018, one of the largest software development platform used for version control websites named GitHub was hit by the record-breaking DDoS attack that peaked over 1.3Tbps.

The attack identified as a new type of amplification DDoS attack technique which was abusing the Memcached protocol to power up this so-called Memcached (pronounced as "mem-cash-dee") DDoS attack.

Just a few days later, a security firm named Arbor networks based in Burlington, US revealed that one of their customers was also experiencing the same type of Memcached DDoS attack that peaked over massive 1.7Tbps, setting a whole new record in the DDoS history and that has happened just four days after the attack on GitHub. Since then the Memcached amplification attack has become a trending cyber-security topic.

Memcached is a free and open-source distributed memory caching system which is designed to speed up the performance of dynamic web applications by alleviating database load.

How does a Memcached DDoS attack work?

A Memcached DDoS attack is an amplification attack method where a botnet of zombie computers is not needed in order to generate a high volume of traffic necessary to bring down an intended network. In a Memcached DDoS attack, an attacker sends a request via TCP or UDP to the targeted Memcached servers on port 11211 and spoofs the IP address of the victim where the sent request consist a few bytes and the response can be tens of thousands of times bigger, resulting in an amplification attack.

According to the researchers, this amplification technique could allow attackers to obtain an amplification factor of 51,200. Since Memcached has been designed to be used without logins or passwords, attackers can also steal the sensitive cached user data remotely or host it without requiring any authentication.

Now, just a week ago, three different proof-of-concept (PoC) exploits code were also released online. This simply means that we will be seeing massive DDoS disruptions this year. And it already started.

One of the PoC exploits relies on Shodan search engine API to obtain the list of vulnerable Memcached servers via a Python script named "Memcrashed.py" where you can target these vulnerable servers to launch an attack. The Second exploit code is written in "C" and uses a static list of vulnerable Memcached servers. And the third PoC exploit is posted on Twitter by @the_ens.

Read More: https://goo.gl/UKf2cp

HaltDos is an IT Security company that primarily deals in award-winning AI-based Web Application Firewall and DDoS mitigation solutions for SME's and Large Enterprises.