Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A vulnerability in memcached allows attackers to amplify traffic up to 51,200 times for use in denial of service attacks.
- Only 5,729 of the 88,000 known unprotected servers have been used in memcached attacks thus far, and security experts expect an imminent increase in such attacks.
An amplification attack using the memcached protocol has been observed by CDN provider CloudFlare. The attack–which is occurring on UDP port 11211–has been shown to generate 260 Gbps of inbound traffic.
Ordinarily, memcached is used to increase the performance of websites that use databases to store content. This is accomplished by storing frequently accessed content in RAM, reducing the number of database queries needed to generate a web page. For very large installations in which the number of TCP connections would cause pains in deployment, a limited UDP protocol exists for memcached.
Unfortunately, the protocol design has no checks or authentication of any kind. According to the description by Marek Majkowski at CloudFlare, the attack is initiated by a server spoofing their IP address–specifying the target address as the origin address–and sending a 15-byte request packet, which is answered by a vulnerable memcached server with responses ranging from 134KB-750KB. It has also been observed at a maximum of 23 million packets per second.
SEE: Auditing and logging policy (Tech Pro Research)
The size disparity between the request and response–here, as much as 51,200 times larger–is what makes amplification attacks so effective. In contrast to distributed denial-of-service (DDoS) attacks, the vulnerable system itself likely lacks the raw bandwidth to disrupt the operation of the target. By leveraging vulnerabilities in services that run on UDP, attackers can flood targets by forcing large responses to request packets.
A document from the United States Computer Emergency Readiness Team (US-CERT) indicates that the memcached vulnerability is the most powerful known vector for amplification attacks. The next largest, NTP, has only been measured at 568.9 times, with CharGEN in third at 358.8 times.
To make matters worse, the default configuration of memcached leaves the UDP port open to external connections, leaving any server not behind a firewall vulnerable to use in attacks. Majkowski noted that only 5,729 unique IPs have been seen used in these attacks, but that a Shodan search indicates there are 88,000 unprotected servers on the internet presently. Of those, 25,034 are in the United States, 19,647 are in China, 4,038 are in France, and 3,586 are in Japan.
Because of the ease of this exploit, and the untapped potential of the unused vulnerable machines, the number of memcached-UDP attacks is expected to increase in the near future.
What should memcached users and sysadmins do?
Because the default configuration of memcached leaves systems vulnerable, configuration changes are necessary. Blocking port 11211 in your firewall is a good first step. For memcached users, If UDP is not used in your deployment, you can disable the feature with the switch -U 0. Otherwise, limiting access to localhost with the switch –listen 127.0.0.1 is advisable.
Additionally, Majkowski wrote an impassioned plea to developers to stop using UDP altogether:
If you use UDP, you must always respond with strictly a smaller packet size then the request. Otherwise your protocol will be abused. Also remember that people do forget to set up a firewall. Be a nice citizen. Don’t invent a UDP-based protocol that lacks authentication of any kind.