Memcrashed the cause of world’s largest DDoS-attacks

A new DDoS-attack vector has been found in the caching platform Memcached, dubbed “Memcrashed”. Through it traffic can be amplified over 51 000 times, leading to the worlds currently strongest DDoS attack of 1.7 Tbps. Proof-of-concept code together with a list of vulnerable servers was recently released, meaning the attack will be accessible to anyone. In order to protect your own Memcached servers from attack, keep them in a local scope only or use the recently found “kill switch” described below.

 

Insecure platform Memcached leading to DDoS-attacks

A new attack vector for amplification attacks was recently discovered in the caching platform Memcached. The platform is commonly used by social networks for storing and quickly accessing small data object. Use is also seen by regular webpages as a storage for user sessions. Essentially, it is designed to handle large number of open connections in order to speed up a page.

However, an issue is often found when Memcached servers are used; They are left open to the internet. As the servers have no authentication, an attacker can send requests and configure them freely. Another issue within the Memcached platform itself is the fact that if a request is made it leads to a larger response, an amplification of traffic.

Massive data amplification leading to record-breaking attacks

Data amplification leads to amplification attacks, which Memcached is no stranger to. In theory, sending a 15 B request would trigger a 134 KB response. In practice however, a 15 B request resulted in a 750 KB response meaning an amplification of 10000 and 51200 times respectively. All it takes is an attacker spoofing a source IP to point the responses toward whatever they wish. Furthermore, as the responses are sent through UDP they’ll be received in a continuous flow making it hit even harder.

Memcached comes equipped with a 1 MB limit in terms of response size. But, with the lack of authentication an attacker can simply change this setting to a larger size. As if it wasn’t bad enough, several responses can be generated through one request. These factors, together with several hacked Memcached servers working in unison, lead to the attack holding the latest two DDoS records: The attack against Github reaching 1.3 Tbps and the newest record-holder measured by Arbor Networks reaching 1.7 Tbps.

Proof-of-concept and server list making Memcrashed accessible

While attacks performed by Memcrashed have been powerful, they have been few. As of the time of writing, this will most definitely change. Two separate proof-of-concept codes have been released to the public. This will allow nearly anyone to launch incredibly strong DDoS attacks themselves. As a “bonus”, a pre-compiled list of vulnerable Memcached servers is included within one of the codes.

Prevention and killswitch

Network administrators are urged to only implement their Memcached server locally to prevent their server being used. Through disabling UDP its attack effectiveness would lessen drastically as well. A killswitch was recently discovered by Corero Network Security, which could prevent an ongoing attack entirely. A loop of the command “shutdown\r\n” or “flush_all\r\n” being sent to an attacking server would halt any further amplification.