Memcached Amplification Attacks

Posted by Author Deepak Shanker on Posted on

Memcached is high-performance distributed system for caching. It was designed yo improve web application performance by reducing database load. An amplification attack using the memcached protocol was observed in the wild. The attack is carried over UDP port 11211.

Amplification attacks requires an attacker to forge the IP address of the target and send a request to a vulnerable server which responds to the target, typically with a large response packet. If done on a large scale the target will exhaust its resources and may result in DDoS attack. The attack is called “amplification” because the vulnerable server is amplifying the DDoS attack by responding with a larger packet allowing attackers to launch high bandwidth consuming attacks with limited IP-spoofing capability.

In case of memcached the server responds with packets as large as 1MB. The server implement limited checks. Initially the attacker smuggles a large payload on to a memcached server and spoofs a get request with source pointing to the targets IP address. CloudFlare has reported an amplification factor of 51,200x.

Mitigation
– Enforce rules to limit connectivity on UDP port 11211. With proper source IP checks
– Disable UDP support if not in use.
– memcached version 1.5.6 has been released to address this issue. Default support on UDP port 11211 has been disabled.
– Please scan your network using QID : 38703 to detect vulnerable machines on your network

Qualys Detection
QID : 38703 is a potential check that uses ‘memcached -V‘ to obtain memcached version over TCP port 11211. A check using UDP is under development and will be added shortly.

Updates:
– CVE-2018-1000115 assigned to track this vulnerability.
Akamai reports 1.3 Tbps DDoS attack using memcached amplification.
– A PoC has been released on github.

Please continue follow Qualys for more information on vulnerabilities.

References
Memcrashed – Major amplification attacks from UDP port 11211
memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations
Memcached 1.5.6 Release Notes
Source Address Validation Everywhere
About Memcached

Leave a Reply

Your email address will not be published. Required fields are marked *