A flaw in the implementation of the UDP protocol for Memcached servers can allow anyone to launch a massive Distributed Denial of Service (DDoS) attack with little effort.
The problem was first discovered by the 0kee Team from China, which published a paper about it (pdf). This past week, security researchers at content delivery network (CDN) specialist Cloudflare also wrote about the issue. And CDN specialist Akamai and security provider Arbor Networks recently published their findings.
Memcached is a Web-based massive memory cache for database-driven sites, such as websites, that caches the most frequently retrieved data and keeps it in memory rather than getting it from the hard disk over and over again. It is a combination of open-source software and standard server hardware that consists of memory, memory, and more memory.
What researchers found is Memcached developers have implemented support for the UDP protocol in an unsecure way. Cloudflare said it detected several DDoS attacks carried out via exposed Memcached servers in the past few days, which is what led to the discovery.
“Over last couple of days, we’ve seen a big increase in an obscure amplification attack vector — using the memcached protocol, coming from UDP port 11211,” the company wrote in a blog post.
Poorly implemented UDP puts exposed Memcached servers at risk for DDoS attack
Cloudfare said because UDP wasn’t implemented properly, hackers can send a tiny, byte-sized request to an exposed Memcached server, and instead of responding with a response of similar size, it responded with packets that are sometimes thousands of times bigger than the initial request.
A carefully prepared technique allows an attacker with limited IP spoofing capacity, such as 1Gbps, to launch very large attacks reaching hundreds of gigabits per second, Cloudflare reported. The company cited one recent DDoS attack launched against its network where attackers sent 15-byte packets and Memcached servers responded with 750KB packets.
Because it’s the UDP protocol, which does not require a source address in its headers, the packet’s original IP address can be easily spoofed. So an attacker can trick the Memcached server into sending oversized response packets to another IP address, the hapless target.
Memcached servers also expose their UDP port to external connections in the default configuration, meaning any Memcached server not behind a firewall can be abused for a DDoS attacks right now.
The fix is fairly easy, and Cloudflare spells it out in their report. Memcached server users should disable their UDP port immediately and place these servers on private networks behind firewalls.