BF-SIRT Newsletter 2018-09

Memcrashed – Major amplification attacks from UDP port 11211

Over last couple of days we’ve seen a big increase in an obscure amplification attack vector – using the memcached protocol, coming from UDP port 11211.

The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself.

  • A discovery of a new amplification vector though, allowing very great amplification, happens rarely. This new memcached UDP DDoS is definitely in this category.
  • In total we’ve seen only 5,729 unique source IPs of memcached servers. We’re expecting to see much larger attacks in future, as Shodan reports 88,000 open memcached servers
  • Github DDos incident on 28 Feb 2018, they received at peaks 1.35Tbps via 126.9 million packets per second.
  • Please ensure that your memcached servers are firewalled from the internet!

Top 5 Security links