March 2, 2018

Mitigating the record-setting Memcached DDoS attacks

At 2:28 GMT on 28th of February, Nexusguard successfully mitigated a 260Gbps attack bound for a customer operating an investment trading website. While attacks of such magnitude have lately become common for our Security Operations Centre (SOC), what makes this a significant mention is that the attack exploited vulnerable Memcached servers to achieve record setting efficiencies previously unseen.

At 51,000 times, the record-setting amplification effect achieved by abusing vulnerable Memcached servers greatly surpasses anything seen before, presenting an unprecedented threat that could take down practically any network on the internet.

Banner for
To put into perspective how intimidating this new threat is, the 2016 attack on DNS provider DynDNS that knocked major internet platforms and services in Europe and North America offline had an average amplification factor of 55. According to US-Cert, the bandwidth amplification factor for most commonly seen DNS-based attacks is 54.

Based on an analysis of our logs, attackers exploited a critical security flaw found on Memcached servers, mostly deployed by reputed organizations in the US, France and Vietnam. Those whose Memcached servers found to have been abused range from leading domain registrars, hosting companies and ISPs to reputable universities and government agencies.

Memcached servers are usually deployed by organizations to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read. The vulnerability stems from unprotected Memcached servers that are typically not made accessible on the internet.

By sending small and spoofed UDP requests to vulnerable Memcached servers, attackers were able to generate responses 51,000 times that of the original request to the intended target. From the actual attacks observed, a 1,428-byte request generated a 714-megabyte response. This is akin to a stranger asking “How are you?”, and you respond with your entire medical history and genetics information.

Large organizations are therefore recommended to secure and harden Memcached servers by implementing access control and closing off non-essential UDP ports.


Related blog post:

To The Uninitiated, The Threat Of Memcached Attacks Can Indeed Be Daunting

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.