Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/27/2018
04:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Memcached Servers Being Exploited in Huge DDoS Attacks

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211.

Multiple security vendors this week are warning about threat actors for the first time exploiting unprotected Memcached servers to launch dangerously large denial-of-service attacks against target organizations.

German DDoS mitigation service provider Link11, one of those to report on the new activity, says that over the past few days it has observed massive UDP attacks in which Memcached servers have been used as an amplification vector.

Each of the high-bandwidth attacks that Link11 observed in late February has exceeded 100 Gbps, with peaks of well over 400 Gbps. The attacks went on over multiple consecutive days and lasted up to 10 minutes on average, according to the company.

Akamai Technologies says this Monday it mitigated a 190 Gbps Memcached attack that generated over 17 million packets per second. Cloudflare, another vendor to report on the previously unseen attack type, says that over the past two days it has seen an increase in UDP attacks coming in via UDP port 11211, the port associated with Memcached services. 

The company says the peak inbound UDP Memcached traffic it has seen so far is 260 Gbps, which is massive for a completely new amplification vector.

Memcached is open source software that many organizations install on their servers to increase performance speed. It works by caching data in system memory and is designed purely for use behind firewalls and on enterprise LANs, says Link11 CTO Karsten Desler. But many organizations have deployed Memcached hosts that are completely accessible from the public Internet. All that attackers have to do is to search for these hosts and then use them to direct high-volume DDoS traffic at a victim.

Desler says a recent Link11 scan showed at least 5,000 Memcached servers deployed on the public Internet that are open for exploit. These servers give attackers a way to generate massive volumes of DDoS traffic with even a relatively small bandwidth connection and minimal input.

"The amplification factor with Memcached servers is hundreds of times larger than DNS," says Desler. "You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector," he says.

With DNS amplification, for instance, an attacker might be able to generate a 50KB response to a 1KB request. But with a Memcached server, an attacker would be able to send a 100-byte request and get a 100MB or even 500MB response in return. In theory, at least, the amplification could be unlimited, Desler says.

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations.

Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai's Security Intelligence Response Team. "A researcher had theorized this could be done previously," Seaman says. "But as Memcached isn't meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment."

But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says. "And now the DDoS attackers have found them and appear to be capitalizing on them before significant clean-up efforts take place."

What makes the attacks worrisome is that Memcached services are deployed on servers and in hardware pools with plenty of bandwidth and resources. Unlike typical reflected attacks with mostly static payloads — like CharGen and NTP — that cannot be easily modified, with Memcached reflection an attacker has much more control over the payload. This gives them to the potential to do a lot more damage, Seaman says.

"The primary problem is that Memcached, with its lack of authentication or controls, is world readable and writable. It's also very fast, as it does all data management directly in memory, and by default it supports key value stores of up to 1MB."

So, if attackers can find suitably beefy machines and load them up with as many keys as they want, they can use the box to launch waves of traffic with amplification rates far exceeding the norm for DDoS attacks, Seaman says. "In theory, an attack could unleash gigs of traffic from a single machine with a packet that's only a few dozen bytes."

Mitigation at this point is basically blocking traffic from source port 11211 at the router, firewall, and elsewhere along the network edge, adds Domingo Ponce, director of global security operations at Akamai. Organizations also need to ensure they have the bandwidth to absorb the attacks while allowing legitimate traffic to remain up.

"It's real and we've seen it," Ponce says. "At the end of the day, your pipes better be big enough."

Related content:

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).