Mitigating the Memcached DDoS Threat

Posted By



March 1, 2018

Several security companies recently detected a series of massive UDP amplification attacks leveraging vulnerabilities in Memcached servers to speed up dynamic Web applications by caching data and objects in RAM.

Link11 security analysts dubbed the new DDoS attack vector "Memcached Reflection," noting that the attacks are similar to DNS reflection. "The attackers exploit the free caching system's poorly secured installations: it can be reached unsecured via UDP port 11211 for reading and writing data, as well as querying statistics," Link11's Oliver Adam wrote.

Cloudflare's Marek Majkowski, who called the new attacks "Memcrashed," noted that Memcashed is unfortunately well suited for these types of attacks. "The protocol specification shows that it's one of the best protocols to use for amplification ever!" he enthused sarcastically. "There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed!"

In a blog post examining the threat, Nexusguard researchers wrote that at 51,000 times, the amplification effect achieved by these attacks greatly surpasses anything ever seen before. "To put into perspective how intimidating this new threat is, the 2016 attack on DNS provider DynDNS that knocked major Internet platforms and services in Europe and North America offline had an average amplification factor of 55," they wrote.