Why IT managers need to prepare for a memcached attack

By on
Why IT managers need to prepare for a memcached attack

2018's WannaCry?

Businesses are being urged to protect their systems against a new attack vector that is fast gaining popularity.

Last week developer platform GitHub was hit with the most powerful distributed denial of service attack on record, managing to survive 1.35 Tbps of traffic flooded to its website.

The attack drew its power from memcached instances that were inadvertently accessible on the public internet with UDP support enabled.

Attackers abuse the memcache protocol by implanting a large payload on an exposed memcached server and then spoofing the 'get' request message with a victim's IP address. Memcached has a bandwidth amplification factor of 10,000 to 51,000.

"Spoofing of IP addresses allows memcached's responses to be targeted against another address, like ones used to serve GitHub.com, and send more data toward the target than needs to be sent by the unspoofed source," GitHub described at the time.

This type of attack is especially effective because memcached servers have high-bandwidth access links and reside on networks with high-speed transit uplinks, Arbor Networks says.

The vast number of servers running memcached openly - Akamai put this at 50,000 vulnerable systems - makes this a "lasting vulnerability that attackers wil exploit", according to Arbor.

Arbor this week claimed to have identified an attack that has outstripped the GitHub DDoS as the largest-ever, posting detail of a 1.7Tbps memcached-based attack on an unnamed company in the US.

"The attack was based on the same memcached reflection/amplification attack vector that made up the Github attack. It’s a testament to the capabilities that this service provider had in place to defend against an attack of this nature that no outages were reported because of this," Arbor said.

The firm said it was "critically important" that companies work to protect themselves from such attacks.

"Until the internet community is able to adjust and make significant progress on memcached servers, we should expect terabit attacks to continue."

Akamai similarly said this type of attack was likely to become more popular given its "ability to create such massive attacks".

Last week KrebsOnSecurity reported that attackers are starting to add a ransom into their memcached DDoS attacks.

Mitigations to the attack include blocking off UDEP traffic from port 11211. 

The first memcached attacks were reported almost five years ago, but have grown in popularity in recent years.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?