Abusing Memcached Servers to carry out DDoS

Author: Shazin Sadakath

Memcached is a well known distributed caching system used by many startups and corporate enterprises to keep data close to their applications and reduce round trips to database or APIs thus reducing the load on them and reducing the latency to cater a request. Because of this wide usage and lack of understanding of its configurations, recently CloudFlare reported that it has been abused to carry out DDoS attacks coupled with the possibility to amplify the attack to higher bandwidths.

For those who don't know what Distributed Denial of Service (DDoS) attack is according to Wikipedia I quote:

"A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic." 

In basic terms sending malicious requests to a specific server (Ex:- Facebook.com) from a geographically distributed network also called a botnet which makes it difficult for the victim server to filter out malicious requests from legitimate requests which eventually exhausts the victim server and makes it go out of service.

But in a usual DDoS the attack size limited to the bandwidth of the geographically distributed network. If all the devices in the that network is attacking the victim server then it will be at its maximum. This is where the vulnerability in Memcached becomes handy. Memcached allows User Datagram Protocol (UDP) based retrieval of cached data. UDP as opposed to TCP is a really barebone way to communicate in the internet. Think of it as the unregistered letter you send using the local mail. You will have both To address and From address in the letter envelope and you just post it and hope it will reach the recipient. There is no guarantee that it will be reached.

So a malicious user with IP spoofying capability with the user of botnet can send UDP packets to a compromised Memcached server with the From address (Source IP address in UDP) pointing to a victim server. The Memcached server will in turn send UDP packets to an unsuspecting victim server. Typically UDP response packets are larger than the request packets so the attack can be amplified to more bandwidth than that can be done by the botnet.


Memcached UDP can be disabled easily by starting it with following command line argument

-U 0

Tags: Memcached DDoS Amplification Attack BotNet
Views: 406


Please login or register to post a comment.

There are currently no comments.