Memcached Exploit Amplifies DRDoS Attacks

An increase in amplified distributed reflected denial-of service (DRDoS) attacks has been observed using UDP port 11211. This is associated with memcached, a distributed memory caching system intended to alleviate database load.

Threat ID:: CC-2116
Category:: DOS
Threat Severity:: Medium
Threat Vector:: Insecure network
Published:: 8 March 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

Despite the fact that memcached does not authenticate requests and is not intended for Internet facing systems, nearly 100,000 such servers have been found running memcached and with UDP support enabled.

When servers running memcached have UDP port 11211 exposed to the Internet, an attacker can send them spoofed requests which appear as though they have come from the target's IP address. The responses are therefore directed towards the target instead of the attacker, and they are 10,000-50,000 times larger than the original requests.

GitHub experienced a loss of availability when 1.3Tbps of traffic was directed to their site in one of the largest attacks of this type so far. This demonstrates the significant impact of these attacks, which do not require the considerable resources required to acquire and control a large botnet.

For further information please see the Memcached Project site and CVE-2018-1000115.

Remediation steps

Type	Step
	Consider blocking or rate-limiting UDP port 11211 on Internet facing devices. Disable UDP support unless the memcached deployment requires it. Restrict memcached services to localhost if they are not required by any remote services. Consider the use of a third party DDoS mitigation tool. Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose. Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.

Type

Step

Consider blocking or rate-limiting UDP port 11211 on Internet facing devices.
Disable UDP support unless the memcached deployment requires it.
Restrict memcached services to localhost if they are not required by any remote services.
Consider the use of a third party DDoS mitigation tool.
Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.

CVE Vulnerabilities

Status

CVE-2018-10001

Last edited: 17 February 2020 12:48 pm