Around the end of February, rumors started floating around about a new reflector called memcached that could be used to fuel distributed denial-of-service (DDoS) attacks. A day or so later, defenders were prepping for huge attacks, but threat actors were even quicker to capitalize on their newest toy.

On Feb. 28, exposed memcached servers were used to fuel a 1.3-TB-per-second attack, the largest recorded to date. Since the incident, security professionals have made great strides toward limiting the number of exposed memcached systems. While the speed at which these reflection attacks unfolded was much faster than usual, memcached shows a pattern of actions that’s becoming familiar in the DDoS world.

Memcached: A Brief History

Memcached isn’t a new service by any means. Designed to take the load off of memory usage, memcached is a daemon that enables remote storage and quick retrieval of data with little overhead. The vulnerability that makes it so dangerous as a reflector was first highlighted at Black Hat 2010. Like many of the cyberthreats we face, the problem with memcached is that it has been exposed to the internet when it’s only meant to be used internally. The original research indicated that an attacker could replace the contents of the key stores used by the service if the Transmission Control Protocol (TCP) port 11211 was exposed and authentication was not enabled for the service.

At that point, the memcached vulnerability was concerning, but not terribly useful for most attackers. Fast forward to the end of this past February, and the situation changed significantly. The first part of the problem was that several different distributions of Linux had changed their default configurations. The memcached service was configured in an open state on all interfaces by default, rather than needing to be explicitly opened by administrators. The second part of the problem came when researchers realized that memcached was open on User Datagram Protocol (UDP) port 11211 and wasn’t requiring authentication on tens of thousands of systems around the globe.

Since they are connectionless, UDP protocols are inherently less secure than TCP. These protocols allow attackers to spoof the destination for traffic, which is the basis for most reflection attacks. The third leg of the problem comes in two forms. If the attacker just wants to use whatever data is in the memcached key stores, he or she will get a moderate amplification rate to use for DDoS purposes. But a threat actor can also take advantage of the lack of authentication with memcached and stuff as much information as the system can handle into the key stores.

Once the service is stuffed to the gills, all it takes is a 203-byte request to unleash an attack of up to 100 MB response per vulnerable server. Before memcached, the highest amplification factor an attacker could expect from a service such as Network Time Protocol (NTP) or Domain Name System (DNS) might be in the 1,000 to 2,000 range at best. Compare that to memcached, with an amplification factor somewhere between 10,000 and 50,000, and you can see why attackers were salivating when this attack vector was discovered.

Memcached Reflection Attacks Break DDoS Records

It’s hard to express just how quickly attackers moved to capitalize on memcached. In the security community, rumors of the vulnerability started circulating over the weekend, and by Monday, Feb. 27, several organizations had already seen attacks. On Feb. 28, Akamai protected a customer from what is possibly the largest DDoS attack ever recorded — a punishing 1.3 Tbps firehose of traffic from memcached servers across the globe.

Today, the issues caused by memcached have been largely mitigated, but not completely. The initial count of 50,000 vulnerable servers was quickly whittled down to 10,000 in the initial days of the attacks and has since dropped below a few thousand servers. Multiple internet service providers (ISPs) and cloud services have taken steps to prevent their networks from being the source of memcached attack traffic. Linux defaults have been updated to prevent the preconfigured exposure of the service to the internet, and administrators across the globe have updated their configurations to block port 11211 and require authentication.

A Wake-Up Call for Developers

Memcached is simply the latest example of a valid service that was developed and deployed with little or no thought to security. It was quite a wake-up call when Mirai burst onto the scene with a 623-Gbps attack against security writer Brian Krebs. This was the first big leap in attack traffic in several years and highlighted the fact that attackers were looking for new resources to fuel DDoS attacks. Memcached is proof that the bad guys haven’t stopped their search for new pools of vulnerable protocols and services to exploit.

It took compounded vulnerabilities and a change to default configurations to turn the memcached service into the threat it became earlier this year. These attacks serve as a reminder that security has to be a primary consideration from the development stage of a piece of software through to its end of life. The cold, hard truth is that eventually, every service will be exposed, even if it was built for entirely legitimate purposes.

Download the 2018 Gartner Magic Quadrant for Application Security Testing

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…