The discovery of a new vector that allowed great amplification has been in the middle of a new DDoS technique that allowed attackers to reach 1.7 Tbps of network traffic at the beginning of this month as reported by Arbor Networks thus setting a new record for largest denial of service attack less than a week after it was set at 1.35 Tbps as reported by GitHub on the 28th of February.
This vector has been made available because of the abusable nature of UDP communications and the carelessness of system administrators who allowed global access to their memcached instances.
By spoofing your IP address as your target and sending packets to a publicly accessible memcached server, you may gain a factor of 51 200 of amplification on your network load to your target address as reported by Cloudflare.
Launching such an attack is easy. First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the “get” request message with target Source IP.
– Quoted from the Cloudflare blog
The idea behind this attack is the same as many previous attacks implicating UDP. As long as protocols will reply with a larger payload than what it requires to trigger the response, anyone will be able to abuse it simply because UDP does absolutely no verification against such attacks by itself.
Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing
SOCK_DGRAMinto your editor.
– As pleaded in the Cloudflare blog
It is minimally necessary to protect those protocols with a handshake process in order to identify bad traffic, or to, at least, implement authentication directly in the protocol.
What to do
If you do not use the UDP protocol on your memcached instances, disable it NOW. If you have to use it, then make sure that it’s only listening on a local network without any kind of port forwarding to this server or, at least, secure it through a VPC or a VPN so that only trusted sources can send packets to the server.
If you do not know what an amplification attack is, please stop using UDP in your software. Make sure that you fully understand how amplification attacks work before allowing yourself to use UDP.
The good parts
With the incredible work of many people and many companies working on various architectures in order find solutions against large-scale DDoS attacks, we are at a point where those attacks do not affect the functionality of large websites. Practically no service outage was reported.
Many companies including Digital Ocean, OVH, Linode and Amazon tackled the Memcached problem on their networks and they should not be a vector in future attacks.
Sources and additional resources
- February 28th DDoS Incident Report (githubengineering.com)
- NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us (arbornetworks.com)
- Memcrashed – Major amplification attacks from UDP port 11211 (blog.cloudflare.com)
- The real cause of large DDoS – IP Spoofing (blog.cloudflare.com)
- The Flip Side of memcrashed (blog.rapid7.com)
- Memcrashed DDos Exploit Tool (github.com)