The  memcached Reflection/Amplification DDoS Attack

Description

Memcache is temporary data storage service used to  improve the overall performance of the website by storing chunks of data in a cache. If misconfigured memcached on port 11211 UDP & TCP is used to cause reflection DOS attack (send a spoofed packet to a device and have it reflected back).

Memcached allows access to the data stored in the cache without any form of authentication and the attacker can easily access data in the corresponding caches and even modify them.

How to Fix:

  • Bind the Memcache server to a particular Source IP Only.
  • Don’t expose this service in the DMZ environment or over the Internet.
  • Update ACLs and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.

More details at:

  1. US-CERT publication
  2. http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/
  3. https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
  4. https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/