Memcached servers irresistible to DDoS attackers, expert warns

memcached servers are an irresistibly attractive means for firing packed cannons at any target without needing a botnet infrastructure, warns Tod Beardsley, research director at Rapid7.

The warning comes after software development platform GitHub revealed it had survived the largest recorded distributed denial of service (DDoS) attack of 1.35Tbps at its peak.

Until now, attacks of this size have been linked to internet of things (IoT) botnet-enabled DDoS attacks, such as the Mirai-based attack on domain name system (DNS) services supplier Dyn in October 2016, which reportedly peaked at about 1.2Tbps.

“The attack on GitHub using a memcached amplification attack is a harbinger of the new world of DDoS using this technique until these vulnerable memcached servers are themselves booted off the internet,” said Beardsley.

Memcached is an open source, distributed memory object caching system that alleviates database load to speed up dynamic web applications.

But memcached is perfect for DDoS attacks, said Beardsley, because by default it produces many thousands of bytes of UDP (user datagram protocol) response to a very short UDP request.

“This request can be easily spoofed and leveraged by attackers with low skill and few resources, and does not require any authentication,” he said. “After all, the design purpose of memcached is to deliver popular content quickly and without much warning – but the design of memcached over UDP is patently inappropriate for today's internet.”

GitHub was able to restore its service after just 10 minutes, but only with help from Akamai Prolexic, a service that mitigates such incidents by routing traffic through its larger network and also blocking malicious requests.

Although GitHub was able to deal with a DDoS attack of this size, not all organisations have the same resources and memcached-based DDoS attacks should be a cause for concern for anyone who is vulnerable, said Beardsley. “Firewall rules to block unsolicited traffic from UDP source port 11211 should be de rigueur for internet networking today,” he said.

According to Beardsley, organisations that rely on memcached for normal caching functions and must expose it to the internet, only using the TCP interface will alleviate the spoofing problem, though at some performance cost.

“Many people were surprised that memcached ran over UDP in the first place, so most normal users simply need to disable the UDP functionality they weren’t using anyway,” he said.

For people who are “absolutely insistent” that their application must use memcached over UDP, Beardsley said he suspects they will be out of luck very soon.

“There is every indication that reputable internet hosting companies the world over are going to be disabling this protocol at the ISP [internet service provider] layer, since memcached over UDP is just too dangerous to run on the open internet,” he said.

Operators of memcached servers are advised to:

• Ensure all memcached servers are not exposed to the internet.
• Block access to UDP port 11211 in every internet-facing firewall.
• Disable UDP on all memcached servers.

Sammy Migues, principal scientist at Synopsys, said the attack on GitHub underlines the importance of organisations operating memcached servers implementing some very basic security practices.

“The impact was minimal because GitHub was commendably prepared to survive an attack much larger than this,” he said. “Unless the unwitting operators of these memcached servers take corrective action, it is inevitable that other ill-equipped targets will fall victim to similar DDoS attacks and suffer a much longer outage.”