A Memcached DDoS (distributed denial of service) attack is a type of cyber-attack in which an attacker tends to drive excessive load on a targeted victim with internet traffic.
The attacker spoofs requests to compromised UDP Memcached servers that flood the victim machine with overloaded traffic, potentially overusing the target’s resources.
While the target machine is overloaded with heavy web traffic, the system becomes deadlocked that is unable to process any new requests resulting in DDoS attacks. If you are still of what is Memcached? Memcached is a database caching system for speeding up networks and websites. One of the best examples of a firm receiving a Memcached DDoS attack is Cloudflare.
Cloudflare’s datacenters received a relative amount of Memcached attacks on its server. CloudFare filters its UDP traffic at the network edge, mitigating the risk posed by magnification attacks such as the one described above.
A Memcached DDoS attack works in the same way as other amplification attacks such as NTP application and DNS amplification. The attack operates by transmitting spoofed requests to the victim machine with the primary objective to overload traffic, which then responds with a good amount of data than the initial request, drastically increasing the volume of traffic.
Memcached DDoS attacks are more of like when you call up a restaurant and say that you want everything on the menu and tell them to please call them back and repeat the order. When the restaurant calls them back and repeats the order, meaning a lot of information is transmitted during that time. When the restaurant asks for the number, so that is the phone number of the victim’s phone. The target receives a heap of information that they didn’t request.
This amplification attack is possible because the Memcached service can operate on the UDP protocol. UDP protocol allows for sending data without first initiating the three-way handshake protocol that is a network protocol that enables network established between the sender and receiver. UDP port is used because the target host is never informed on whether they will receive data or not, allowing for a large amount of data that is transmitted on the victim machine without any consent.
A Memcached attack works in 4 steps:
The magnification factor of this type of attack is enormous, where some firms have quoted a staggering 51200 times magnification! Meaning that if a 15-byte request is transmitted, this would mean an expected response of 75kb.
This depicts a very massive data transmission and security risk to web properties that are unable to handle such large volumes of data. Having such a significant amplification added with vulnerable Memcached servers makes it a case for hackers to launch DDoS attacks such various targets.
When the client and the server establish a connection using the three-way handshake protocol, the exchange follows three steps: