What is DDoS amplification attack?
These attacks usually use the UDP protocol. It is a simple connectionless communication model with a minimum of protocol mechanism. This means that one of the sides in the communication can send large amount to the other without restrictions. Without any confirmation and it doesn’t matter if the second side receive the data.
Due to the way the UDP protocol works, cyber-criminals use it to generate DDoS amplification attacks. The attacker sends a small UDP request with a spoofed IP address of the victim to public services.
The UDP protocol doesn’t require a connection verification between the parties. This is why the public services reply with the requested data to the IP address of the victim. As bigger is the data returned by exploited public service, bigger is the DDoS amplification factor.
In the past few years, hackers have exploited many public DNS resolvers and NTP servers to generate massive DDoS attacks against popular websites and services.
DDoS amplification attack with Memcached
Last couple days we have seen a significant amount of DDoS attacks against our network in one new DDoS amplification vector using the UDP protocol in Memcached, one of the most used in-memory databases.
By default Memcached works with enabled UDP support on port 11211. To understand this attack we have reviewed the source code of the database (here is the on GitHub). For some reason in the communication settings of the database is defined fixed payload of 1400 bytes for the UDP packets (you can see it here).
The basic UDP request send to Memcached is with size 15bytes, and the server responds with 1400bytes. This makes the amplification factor more than 93x! That amplification factor means that with a single server with 1Gbps port and a significant amount of vulnerable servers, the attacker can generate DDoS attacks over 90Gbps.
Our research shows multiple open Memcached servers around the world with enabled UDP support by default.
How to protect from Memcached DDoS amplification attacks?
Our Anycast Network is protected from such attacks, and we already mitigated more than 20 attacks like this for the last five days.
With enough of network capacity, we can easily filter the attack of the Memcached server responds from UDP port 11211. We can say for sure that all our customers are protected and safe.
The average size of the DDoS attacks we filter was between 50Gbps and 80Gbps. First we expect that value to grow in the next two weeks. Then to drop significantly because the system administrators will take care of the vulnerable servers.
How to protect a Memcached server?
The system administrators of Memcached servers can protect them in one of the following ways:
- Update the configuration of the server to listen only on 127.0.0.1 (localhost). Do this if use the memcached server only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
- Disable UDP support, if you are not using it. You can do this with the option -U 0
- Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need
[UPDATE Mar 1, 2018] According to the GitHub’s February 28th DDoS Incident Report, the largest open source code web service was down due to Memcached DDoS Amplification attack. The size of the reported attack is 1.35Tbps.
Have a question? Ask us in the comments.