michelangelus - Fotolia

Memcrashed DDoS amplification exploits memcached UDP port

Memcrashed, a devastating new DDoS amplification attack that exploits UDP port 11211, is only possible when memcached servers are exposed to the public internet.

Attacks were detected this week using a simple, but brutally effective, reflection and amplification distributed denial-of-service attack, with volumes as high as 500 Gbps and amplification factors as high as 51,200 observed. This means that for each byte of data sent by the attacker, as much as 51,200 bytes of attack volume is delivered to the victim systems, all of which appears to originate from the victim's service providers.

The attack, dubbed "Memcrashed," exploits the popular memcached utility, which caches data in server memory and is used to minimize the frequency with which databases, APIs or other data objects are accessed. While memcached is useful for speeding up network access to data, it was never intended to be used for internet access, and the protocol includes no security or access control.

Johannes Ullrich, dean of research at SANS Technology Institute, summed up the problem as a matter of people exposing memcached to the internet. "For many other services, I would qualify that statement: 'without access control'. But for memcached there is no access control. This is by design. You are not supposed to expose memcached to the internet, and it says so right in the configuration file," Ullrich wrote in a blog post.

According to Kevin Liston from SANS, the amplification factor for the Memcrashed attack is far higher than the previous record holder, the NTP reflection DDoS attack that used CVE-2013-5211, which had an amplification factor of 556.9. Domain-name-system amplification attacks have an amplification factor between 28 and 54.

Shodan memcached results
Shodan search results for memcached servers listening to port 11211

Memcrashed attacks and mitigation

You are not supposed to expose memcached to the internet, and it says so right in the configuration file.
Johannes Ullrichdean of research at SANS Technology Institute

The Memcrashed attack is simple and requires only that the attacker be able to forge requests to memcached servers, which by default respond to requests directed to UDP port 11211. The memcached protocol allows hosts to send a stats command that returns current traffic statistics. The request uses only 15 bytes, while a memcached server's statistics can be as much as 1 Mb, according to Marek Majkowski, team member at Cloudflare, based in San Francisco.

A search for vulnerable servers on the Shodan service -- hosts running memcached that are open to requests on UDP port 11211, which is the default inbound port for the caching protocol, enabled by default in most implementations -- showed nearly 100,000 devices are still vulnerable to being used for the Memcrashed DDoS exploit days after the exploit was first reported. Even so, it is not difficult to prevent a memcached server from being exploited in this attack; you can do so by turning off access to memcached through UDP, or even by simply removing internet access to memcached servers.

For those experiencing an attack that uses Memcrashed, mitigation is also straightforward.

"Luckily, it isn't too hard to block," Ullrich wrote. "You should see traffic *from* port 11211 if you are hit by this attack. Blocking all traffic from port 11211 should be possible as all modern operating systems tend to use a source port higher than that for client connections. But given the traffic volumes people are seeing, you will likely need help 'upstream' or from an anti-DDoS company."

Dig Deeper on Network security