Memcached Attack

A Memcached DDoS (distributed denial of service) attack is a type of cyber-attack in which an attacker tends to drive excessive load on a targeted victim with internet traffic.

The attacker spoofs requests to compromised UDP Memcached servers that flood the victim machine with overloaded traffic, potentially overusing the target’s resources.

While the target machine is overloaded with heavy web traffic, the system becomes deadlocked that is unable to process any new requests resulting in DDoS attacks. If you are still of what is Memcached? Memcached is a database caching system for speeding up networks and websites. One of the best examples of a firm receiving a Memcached DDoS attack is Cloudflare.

Cloudflare’s datacenters received a relative amount of Memcached attacks on its server. CloudFare filters its UDP traffic at the network edge, mitigating the risk posed by magnification attacks such as the one discribed above.

How does a Memcached attack work?

A Memcached DDoS attack works in the same way as other amplification attacks such as NTP application and DNS amplification. The attack operates by transmitting spoofed requests to the victim machine with the primary objective to overload traffic, which then responds with a good amount of data than the initial request, drastically increasing the volume of traffic.

Memcached DDoS attacks are more of like when you call up a restaurant and say that you want everything on the menu and tell them to please call them back and repeat the order. When the restaurant calls them back and repeats the order, meaning a lot of information is transmitted during that time. When the restaurant asks for the number, so that is the phone number of the victim’s phone. The target receives a heap of information that they didn’t request.

This amplification attack is possible because the Memcached service can operate on the UDP protocol. UDP protocol allows for sending data without first initiating the three-way handshake protocol that is a network protocol that enables network established between the sender and receiver. UDP port is used because the target host is never informed on whether they will receive data or not, allowing for a large amount of data that is transmitted on the victim machine without any consent.

How does a Memcached attack work?

A Memcached attack works in 4 steps:

  • An attacker fixes a large amount of data on a vulnerable Memcached server
  • Next, the attacker spoofs an HTTP get a request from the IP address of the target victim
  • The exposed Memcached server that receives the request is then waiting to send a massive response to the victim’s machine which it does
  • The targeted server receives the enormous payload, which is then unable to process such massive network traffic, resulting in an overloaded and DOS to legit requests.

How big can a Memcached Amplification Attack be?

The magnification factor of this type of attack is enormous, where some firms have quoted a staggering 51200 times magnification! Meaning that if a 15-byte request is transmitted, this would mean an expected response of 75kb.

This depicts a very massive data transmission and security risk to web properties that are unable to handle such large volumes of data. Having such a significant amplification added with vulnerable Memcached servers makes it a case for hackers to launch DDoS attacks such various targets.

How can a Memcached Attack be mitigated?

When the client and the server establish a connection using the three-way handshake protocol, the exchange follows three steps:

  • Disable UDP: For Memcached servers, make sure you disable UDP support if you don’t want to have. By default, Memcached has the support enabled, leaving the server exposed.

  • Firewall Memcached servers: By setting up a firewall for Memcached servers from the internet, this reduces the risk of Memcached server to be exposed and can utilize UDP.

  • Prevent IP spoofing: As long as spoofing IP addresses is possible, DDoS attacks can make use of the exposure to direct traffic towards the victim’s machine. Preventing IP spoofing is a tremendous task that cannot be done by the network administrator alone. It requires transit providers not to let any packets leave the network that has the origin IP outside the network.

    In other terms, internet service providers must make sure that the traffic originated must not pretend to be from somewhere else and that these packets are not allowed to leave the network. If major transit providers implement these measures, then IP spoofing can disappear overnight.

  • Develop software with reduced UDP responses: Another way to eliminate amplification attacks is to mitigate the amplification factor of any incoming request. If the response data sent as a result of the UDP request that is smaller than the original request then, amplification would no longer be possible.