skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum View

Summary

Akamai has reported the biggest volumetric distributed denial-of-service (DDoS) attack yet, measuring 1.3Tbps. It used UDP reflection/amplification, leveraging misconfigured memcached servers, of which there are some 50,000 in existence. Akamai and Arbor have recently detected significant increases in memcached-based attacks, suggesting that more volumetric attacks may be on the way.

Memcached opens the way for monster attack volumes

Annual reports from both Akamai and Arbor on the way the DDoS landscape is evolving have pointed to a growth in volumetric attacks, but these are still only one of a range of approaches by threat actors, with others, such as application-layer attacks, deliberately seeking to remain under the radar, using much lower bandwidths as a result.

What the recent memcached attacks demonstrate, however, is that the perpetrators have found a convenient way to launch the kind of monster attacks that swap an enterprise’s defenses and usually require external assistance to withstand.

Memcached is a distributed memory caching system that is used to speed up database-driven websites by caching data in RAM to reduce reads of external sources. The protocol allows the server to be queried for information about key value stores and is only intended to be used on systems that are not exposed to the internet. It requires no authentication, and because the IP addresses of UDP traffic can easily be spoofed any time memcached is erroneously exposed to the internet, it is an excellent reflector for anyone mounting a DDoS attack.

Although not meant to be internet-facing, Akamai estimates that there are about 50,000 servers that use the insecure default configuration, making them vulnerable for use in DDoS attacks. Memcached uses UDP port 11211 as default, so an immediate mitigation action on the part of service providers is to rate-limit and/or filter all traffic on that port.

Appendix

Author

Rik Turner, Principal Analyst, Infrastructure Solutions

rik.turner@ovum.com

Recommended Articles

;

Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700


Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

Email us at ClientServices@ovum.com

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 788 597 5160 or email us at pr@ovum.com

Contact marketing - 
marketingdepartment@ovum.com

Already an Ovum client? Login to the Knowledge Center now