Akamai has reported the biggest volumetric distributed denial-of-service (DDoS) attack yet, measuring 1.3Tbps. It used UDP reflection/amplification, leveraging misconfigured memcached servers, of which there are some 50,000 in existence. Akamai and Arbor have recently detected significant increases in memcached-based attacks, suggesting that more volumetric attacks may be on the way.
Memcached opens the way for monster attack volumes
Annual reports from both Akamai and Arbor on the way the DDoS landscape is evolving have pointed to a growth in volumetric attacks, but these are still only one of a range of approaches by threat actors, with others, such as application-layer attacks, deliberately seeking to remain under the radar, using much lower bandwidths as a result.
What the recent memcached attacks demonstrate, however, is that the perpetrators have found a convenient way to launch the kind of monster attacks that swap an enterprise’s defenses and usually require external assistance to withstand.
Memcached is a distributed memory caching system that is used to speed up database-driven websites by caching data in RAM to reduce reads of external sources. The protocol allows the server to be queried for information about key value stores and is only intended to be used on systems that are not exposed to the internet. It requires no authentication, and because the IP addresses of UDP traffic can easily be spoofed any time memcached is erroneously exposed to the internet, it is an excellent reflector for anyone mounting a DDoS attack.
Although not meant to be internet-facing, Akamai estimates that there are about 50,000 servers that use the insecure default configuration, making them vulnerable for use in DDoS attacks. Memcached uses UDP port 11211 as default, so an immediate mitigation action on the part of service providers is to rate-limit and/or filter all traffic on that port.
Rik Turner, Principal Analyst, Infrastructure Solutions