Threat Management, Network Security, Network Security

Flurry of ultra-amplified attacks point to UDP port emanating from memcached servers

Staying ahead of threats is the raison d'être of any cybersecurity professional. An amplification attack vector that should be on the radar is UDP (User Datagram Protocol) port 11211 emanating an unusual volume of DDoS activity this week involving the memcached protocol, reported security solutions provider Cloudflare.

The firm on its website explains how it was the target of a 196-Gbps SSDP (Simple Service Discovery Protocol) attack with far greater power than usually seen in cybersecurity circles.  

“Obscure amplification attacks happen all the time,” comments Cloudflare team member Marek Majkowski in a Feb. 27 blogpost, adding that the firm often sees “chargen” or “call of duty” packets of hitting its servers at 100Gbps.

What's different about this week's discovery was the greater amplification, with such force being a rare occurrence. “This new memcached UDP DDoS is definitely in this category,” writes Majkowski, who coined this attack as “Memcrashed.”

Amplification attacks, he explains, typically follow a similar pattern: Bad actor forges spoof requests to an exploitable UDP server, which does not realize the malicious ulterior motive. The result: thousands of responses get delivered to an unsuspecting target host, overwhelming its resources, usually the network itself.

Memcached is a free and open-source, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. With a moninker mash-up between memory and cache, memcached facilitates small chunks of arbitrary data (e.g., strings, objects) from results of database calls, API calls, or page rendering.

Majkowski was surprised to learn the system could deliver at “blazing speed” 260 Gbps of inbound memcached traffic.

The ramifications of such a discovery is immense besides UDP being a fundamental Internet protocol that facilitates data, amplified attacks received “absolutely zero checks.” He notes vulnerable memcached servers reside globally, especially major hosting providers in North America and Europe.

To prevent potential amplification attacks, Majkowski urges system administrators to firewall memached servers from the Internet, and developers to stop using UDP, as well as not enable it by default.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.