Yesterday we saw a new distributed denial of service (DDoS) amplification attack vector using UDP port 11211. Most amplification attacks are effective, but with this technique the attacker generates a high volume of packets to overcome the target.
Memcached (usually pronounced mem-cash-dee) is an open-source caching system allowing objects to be stored in memory and works with a large number of open connections. It is used on thousands of websites including most of the popular social media sites, Reddit and Github. Using Memcached allows these sites to increase their performance by storing frequently accessed content in RAM. It runs on TCP or UDP port 11211.
The Memcrashed attack abused the Memcached servers that were unprotected and delivered the largest DDoS amplification method ever used thus far. By utilizing the UDP protocol, it was able to attack without the need for checks or authentication.
Memcrashed showed effects across the country. Some MOREnet members were affected as well. Mitigation techniques were put into place very quickly and operations returned to normal.
‘The attack size potentially created by Memcached reflection cannot be easily defended against by Internet Service Providers (ISPs), as long as IP spoofing is permissible on the internet.’ – The Hacker News