Akamai is aware of a new DDoS reflection attack vector: UDP-based memcached traffic. Memcached is a tool meant to cache data and reduce strain on heavier data stores, like disk or databases. The protocol allows the server to be queried for information about key value stores and is only intended to be used on systems that are not exposed to the Internet. There is no authentication required with memcached. When this is added to the ability to spoof IP addresses of UDP traffic, the protocol can be easily abused as a reflector when it is exposed to the Internet. Akamai has seen multiple attacks, some in excess of 190 Gbps, with the potential for much larger attacks.
The memcache protocol was never meant to be exposed to the Internet, but there are currently more than 50,000 known vulnerable systems exposed at the time of this writing. By default, memcached listens on localhost on TCP and UDP port 11211 on most versions of Linux, but in some distributions it is configured to listen to this port on all interfaces by default.
When a system receives a memcached get request, it forms a response by collecting the requested values from memory, sending them over the wire in an uninterrupted stream. This response is sent to the target in multiple UDP packets, each with a length of up to 1400 bytes. It is difficult to determine the exact amplification factor of memcached, but the attacks Akamai saw generated nearly 1 Gbps per reflector. Other organizations have reported attacks in excess of 500 Gbps using memcached reflection.
To make the situation worse, attackers can influence the amplification factor for a given node by inserting records into the open server, thus having a large object to use during reflection. By default memcached uses a limit of 1MB per stored value, however this constraint is user configurable. Even more worrisome is that multiple keys or duplicate keys can be requested multiple times in a single request. This allows attackers to load up a number of large values into the data store and then use them in attacks. It is possible that an attacker could purposely place a 1MB value in the data store, and using a spoofed UDP packet request that single 1MB value hundreds of times per request. This would result in a massive amplification factor where a 203 byte request results in 100MB response of reflected traffic, per request. It doesn't take much imagination to see how this could be and is being abused, resulting in considerable DDoS attacks.
Attacks of the size potentially created by memcached reflection cannot be easily defended against by data center solutions, requiring the cooperation of upstream ISPs and/or cloud based DDoS protection services. Blocking port 11211 is a starting point for defenses and will prevent systems on your network from being used as reflectors. Configuring mitigation controls, like port blocking, can allow for this traffic to be handled quickly and efficiently.
Similar to most reflection and amplification attacks before it, the primary solution to memcached attacks is to not have the reflectors exposed to the Internet. However, relying on remote systems administrators to remove their servers from the Internet is not a solution likely to see immediate results. In the meantime, organizations need to be prepared for more multigigabit attacks using this protocol and should plan accordingly.