Arbor Networks specialists posted a description and their recommendations regarding a DDoS UDP reflection/amplification attack conducted with the use of servers running the Memcached caching system. The specificity of this solution (no built-in security measures) leads to high susceptibility to volumetric attacks. This is why this particular system should not be embedded in a public network. GitHub administrators learned this the hard way, when they had to deal with an attack with a power of 1.35 Tbps.
Where are Memcached solutions used?
A significant number of servers – mainly in hosting, cloud or IaaS solutions – uses Memcached in order to improve web app capacity. This makes them vulnerable to such an attack type. The situation is worrying because there are numerous Internet servers utilizing Memcached. According to the Shodan.io report, there were over 93 000 such devices as for 27 February.
What is the sequence of a DDoS UDP attack using Memcached?
The attack itself is typical – packets with a spoofed IP are sent to vulnerable servers, which then generate a response sent to a target attack “victim”. By default, Memcached runs on port 11211 (TCP and UDP), therefore, the basic recommendation is to block Internet access to these ports. The attack observed by, among others, Cloudflare, exhibit a very high amplification factor of over 50 000. This means that every byte sent by the attacker generates a response of 50 kB (exactly 50 000 greater).
A record-breaking 1.35 Tbps DDoS (at 126.9 MM packets per second)
GitHub admins experienced the magnitude of such an attack on February 28. The popular website was unavailable for only a few minutes owing to a rapid switch to an external anti-DDoS service. The attack traffic volume peaked at 1.35 Tbps (at 126.9 MM packets per second). It is impossible to repel such an attack without specialist help.
You can learn more about this attack by visiting:
Source: Arbor Networks
—
Do you need cybersecurity solutions for your company – contact us.