A long time ago in a git repository far-far away, a commit made by Brian Aker introduced a brilliant feature of the default listening to UDP traffic in memcached.
Days in between February 23, 2018, and the Monday of February 26, 2018, were marked by multiple memcached-amplification DDoS attacks across entire Europe.
The issue with memcached insecurity seemed to well known from at least 2014 when Wallarm CEO Ivan Novikov presented his talk on “Memcached injections” at BlackHat U.S.
Though injections can allow an intruder to provoke different consequences, what we saw last night was an amplification assault on many resources across the web, including those biggest of Russia, with the source port 11211, recognized as the memcached-based amplification attack. This specific possibility of enabling high-value DDoS attacks was disclosed in 2017 by Chinese group of researchers from the cybersecurity 0Kee Team.
Various sources confirmed being attacked with mostly memcached traffic, with a little of NTP and DNS, from open and amplificating servers hosted at OVH and lost of smaller ISPs and hosting providers.
We told lots of times that such open ports are the potential disaster and as the researchers told us, and the last weekend demonstrated, such attacks could reach superb volume. One of Qrator Labs’ customers, QIWI payment system, confirms mitigating an attack up to 480 Gbps UDP traffic in peaks from memcached amplificators.
By default, memcached listens even to the UDP traffic on port 11211 even in the latest version of the installation. Ubuntu 16.04 with default settings launches memcached on localhost only, unlike the CentOS 7.4, which default memcached configuration listens to the UDP requests on all interfaces.
Memcacheds available for such amplification are in plenty across the web. In case of correct installation, this does not happen, though proper installation cases are always rare. Technicians install and forget about default settings on their resources, memcached starts listening to the UDP traffic being sent to the server and responses with, on current average, 9000–10000x amplificated traffic.
Mitigation of such an attack could be done in several ways, but the most simple is just firewalling udp on source port 11211 (it is possible but highly unlikely at the moment there would be any legitimate traffic coming from that port), or rate-limiting it. Of course, this implies that the last mile of bandwidth before your firewall is powerful enough. For a larger internet service provider, two options can also be viable: 1. Flowspec based filtration or 2. Extended community.
Take care of your memcached.