A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
Reflective DDoS attacks:
Using the technique In simpler way lets try to understand the flow:
- Attacker sends a request to a vulnerable server by spoofing its source IP address as that of the victim server
- The vulnerable server responds to the spoofed IP address which is the victim server
What is Memcached:
Memcached is a Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. It is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.
Feature that makes Memcached vulnerable:
By design, memcached has a “STATS” command over UDP/TCP which enables the memcached server admin to query the server about the statistics that provide a visibility on the statistics of the server!
So since UDP is a protocol that does not require a tight handshake like TCP, when exposed to the internet in a unsecured way, is being used as an attack vector where the attacker uses the method to query the “STATS” of the server while spoofing its source IP Address as that of the victim’s server.
As we tested (On TCP), the query size would hardly be in bytes and the response shall almost 100 times the size is being sent to the victim’s server which amplifies the attack.
And thats how the attackers are using memcached servers UDP STATS command to perform an AMPLIFIED REFLECTIVE DDOS ATTACK.
At the time of writing this article, we could find 1,04,301 memcached servers(Not all are exposed on UDP) in Shodan!
Please refer to the Shodan Report: https://www.shodan.io/report/zoEvusDg
IP Addresses List updated:
Using the shodan api, we were able to collate 58,486 IP Addresses and we shall try our best to maintain this list updated in a bi-weekly schedule. You can find the IP Addresses from the link below:
Did Memcached(Open Source) feel responsible?
As well 5 days back, there has been a commit with the comment as shown below to DISABLE UDP BY DEFAULT!
Quick Workaround for existing servers:
Disable UDP listener on your memcached server. If not feasible, please implement the following:
- Use a network policy to disable UDP traffic to your memcached server from internet
- If your monitoring servers use UDP Protocol to query memcached servers, then use an IP whitelist
- If incase you do not have a firewall that can perform the above action, try using a UDP Proxy and open the traffic only from this server and maintain your IP Whitelists on this UDP Proxy servers (eg. NGINX)
Please feel responsible about the internet world and would request all the memcached admins out there in the world to go ahead and secure their servers and NOT CONTRIBUTE to such attack vectors!
As always we say:
Keep Defending !