Memcached under the Microscope: Unpacking the Reflective DDOS Attack Technique
In recent times, a surge in services using Memcached has led to a rise in reflected UDP-based protocol attacks. Attackers exploit the Memcached service to amplify their malicious traffic, overwhelming the victim’s IP address with a flood of responses. This paper delves into the details of the reflective DDOS attack technique and its implications for Memcached users.
Background
Memcached is a high-performance distributed memory object caching system designed to reduce database load for dynamic Web applications. By caching database query results, Memcached improves the speed and scalability of dynamic Web applications. However, its design also makes it vulnerable to a specific type of attack.
The Reflective DDOS Attack
A Distributed Denial of Service (DDoS) attack occurs when multiple computers collaborate to overwhelm a target with traffic. In the case of Memcached, attackers exploit the UDP protocol’s lack of mutual authentication to amplify their malicious traffic. By sending a large number of UDP packets to the victim’s IP address, attackers can create a massive response from the Memcached service, which is then reflected back to the victim’s IP address. This creates a distributed denial of service attack.
How the Attack Works
To carry out a reflective DDOS attack on Memcached, an attacker must meet three basic conditions:
- Faking IP: The attacker must be able to fake an IP address to send massive forged source requests.
- Reflection Server: The reflection server must run an easily enlarged reflection of service attack, preferably with a poorly designed UDP protocol service.
- Server Response: The server response packet should be much larger than the reflected request packet to maximize the DDOS attack traffic.
Memcached and the Attack
Memcached supports UDP and is often used as a component of enterprise applications with high upload bandwidth. Additionally, Memcached can interact freely without authentication, making it an ideal target for reflective DDOS attacks.
Attack Process
The attack process involves the following steps:
- Port Scanning and Service Fingerprint: The attacker acquires unauthorized Memcached using port scanning and service fingerprinting.
- UDP Memcached Filtered Reflection: The UDP Memcached is filtered, and the attacker successfully acquires the Memcached host IP address.
- Return Data to the Host: The host may amplify the Memcached IP UDP transmission, falsifying the attacked host IP UDP packet.
- DDOS Attack: The Memcached IP hosts transmit a large amount of UDP data to the attacked host IP, resulting in a DDOS attack.
Conditions of Use
For a reflective DDOS attack on Memcached to be successful, the following conditions must be met:
- Memcached Service Must Open UDP 11211 Port: The Memcached service must have the UDP 11211 port open.
- Authentication Disable Defects: The Memcached service must have authentication disabled.
- Adequate Bandwidth Resources: The Memcached server node must have adequate bandwidth resources.
Impact Surface
The impact surface of the reflective DDOS attack on Memcached includes:
- Domestic Influence Surface: The number of domestic Memcached servers affected is over 20,000.
- Global Impact Surface: The number of affected global Memcached servers is approximately 100,000.
Feasible Mitigation Measures
To mitigate the reflective DDOS attack on Memcached, the following measures can be taken:
- Cloud Vendors and Carriers: Limit UDP 11211 two-way traffic.
- Business Application Whitelisting: Whitelist business applications and enable release mechanisms.
- International Export Restrictions: Block the use of foreign machinery to fight domestic situations.
In conclusion, the reflective DDOS attack on Memcached is a significant threat to users of this service. By understanding the attack technique and its implications, users can take necessary precautions to mitigate its impact.