We’re living in an age where we’re always going to witness new attacks, with minimal/high complexity with the severity of the attacks ranging from high to critical. Technology is always growing, advancing and there’s always going to be more attacks to look forward to in the future. Two of the largest DDoS attacks that were ever recorded in the history of the internet were launched only recently. Yes, 2018 is going well. Attackers recently took advantage of the server configuration settings that weren’t set in place in the security point of view to thwart such attacks. Hence the affected servers received floods of malicious traffic and weren’t armed to stabilize the situation at hand.
The attack that we’re discussing targeted the Memcached Systems. Memcache is a popular open source distributed memory caching system. Attackers exploited it by launching an amplification DDOS attack by sending forged requests to the targeted Memcached server on port 11211 using a spoofed IP address that matched their target’s IP address. This is what went down during this attack: So, a few bytes from the spoofed IP address, when received by the victim Memcached server, triggered a response which would equate to the response magnified to a thousand times bigger response. This response was sent to the Memcached server which eventually leads to the massive DDoS attack.
Basically, Memcached servers cache some of the massive data that applications require from an external database. This cached data is then easily accessible for applications to use as and when they require it. Companies use these servers to speed up their page load time. Also, these servers have been used for this very purpose for quite a long time now. Normally, the Memcached servers are used internally within an organization. That is, they’re not exposed to the public network (internet) and are only made accessible to a trusted internal network. But apparently, there are plenty of Memcached servers accessible online as well. Shodan, a search engine that lets the users find specific types of computers (webcams, routers, servers, etc.) can be used to find Memcached servers as well.
What’s interesting is that these servers had the UDP port11211 open by default (according to Cloudflare’s Marek Majkowski). Since these servers have been used by companies for a very long time, back in the day, UDP was faster and simpler than the TCP protocol. That has changed now. However, the default settings on the server configurations remained. Which lead to a discovery of many Memcached servers with port 11211 left open by default.
In the aftermath of this attack, the leads behind the open source Memcached project released a new stable version. In that version, the default settings don’t leave the mentioned UDP port open anymore. This can be configured manually as well.
To prevent Memcached servers from being exploited with the previously mentioned method, we advise users to install a WAF that would provide access to Memcached servers ONLY from the local network.
Administrators should also consider avoiding external traffic to the ports used by the attackers to exploit the Memcached servers (for example 11211 port used by default), and to block or rate-limiting UDP or completely disable UDP support if not in use.
Need help protecting your business from all kinds of application-layer DDoS attacks?