There’s a new DDOS attack in town and it’s a doozy. This amplification attack takes advantage of unsecured (misconfigured) Memcached servers and the return-on-investment is staggering. Sending a forged request to a susceptible Memcached server on port 11211 will trigger a response to the intended target that has been amplified by a factor of 51,000. The result is the largest sustained denial of service attacks in history. GitHub successfully withstood a 1.3 Terabit-per-second attack and several days later an unnamed company in the United States was buffeted by a 1.7 Tbps attack.
According to Wikipedia, “Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read.” The Memcached software is free and open-sourced and runs on Linux, OS X, and Windows, with wide spread adoption over the last decade.
Usually, these types of servers are used internally, disconnected from the public internet and only accessible within a trusted network to improve performance. But it appears a lot of people have been leaving Memcached servers exposed to the open internet where they can be discovered and exploited by just about anyone.
Indeed, tools have already started cropping up enabling the ‘script-kiddies’ to also take advantage without understanding the underlying technology. One such tool, written in C, comes complete with a pre-complied list of 17,000+ vulnerable Memcached servers. Another, written in Python, leverages Shodan to search for and obtain a fresh list of vulnerable servers. Both tools automate the sending of spoofed UDP packets.
The original version of Memcached, created by Brad Fitzpatrick, did not support the UDP protocol. That functionality was added in 2008 by Facebook. The change was made without providing for mean to authenticate as developers falsely assumed that these servers would only run inside trusted networks. Later versions of the software eventually added authentication support for TCP but again left UDP out of the loop. That was, of course, until terabit-level denial of service attacks broadsided several sites last week. The open-source project was quickly updated to lock down the UDP port by default.
Similar to herd immunity, sites will not be safe from this attack until enough Memcached servers are patched or otherwise secured. A process that many experts predict will take quite some time.