Last week, Github, the web-based hosting service used mainly for code, was unavailable to intermittently unavailable due to a distributed denial-of-service (DDoS) attack, according to an announcement on its website. Traffic for the attack reached 1.35 terabits per second (Tbps), unprecedented for attacks of its type.
Attacker(s) co-opted widely-used Memcached database servers that have support for the UDP protocol enabled and are exposed to the internet without any authentication requirements in place, using a relatively unique attack method dubbed ‘Memcrashed.’
What is Memcached?
Memcached is a key-value cache store intended to store value pairs at high-volume for distributed systems, similar to a storage system like Redis. However, Memcached is meant only for caching and does not have persistent storage.
Amplification of Memcached
For some reason, Memcached supports the UDP protocol, as can be read in their protocol specification document under ‘UDP protocol.’
UDP is a transport system in which the reliability of data isn’t required. However, this happens to be the reason amplification attacks exists. In UDP, the sender of a UDP packet can spoof its source address to the receiver. If a protocol is designed to also respond in UDP, the receiver could respond to an entirely different sender, which is the basis for UDP-based amplification attacks. An attacker spoofs the IP of their target towards a service that returns large quantities of data based on the request, which ‘amplifies’ the data back to the target.
How You, as a Network Operator, can Avoid Memcrashed
The spoofing of IPs in UDP is something ISPs and network operators around the globe try to suppress and filter in an attempt to stop these attacks, but it still happens.
If you’re unsure if you have any Memcached servers running digital footprint, you can find out by scanning your perimeter for services listening on port 11211, which is the default port Memcached listens on. Also, be sure to check with teams operating services inside your network to see if they might have configured Memcached servers on a non-default port.
If you do have Memcached servers in your network, be sure to take these steps:
- Make sure that these instances have UDP support disabled if it is not required https://github.com/memcached/memcached/wiki/ConfiguringServer#udp
- If you require UDP support, reconsider if these services need to be world-reachable—you might unwittingly be participating in amplification attacks!
- If you didn’t have UDP enabled but you do have a publicly accessible Memcached service, consider if it really needs to be public—don't overexpose your network.
What RiskIQ can Do
RiskIQ customers using Digital Footprint can investigate Open Ports across your IP footprint, allowing security and IT teams to quickly reduce their exposed attack surface by closing unnecessarily opened ports and ensuring the security of necessary services.
Using the Open Ports passive data set, we show what IPs from your footprint are live and responding to port scans. We display this as a drillable summary, showing the quantity of IPs with open ports, and allow you to drill down into the details of each IP.