Results 1 to 8 of 8
  1. #1
    Join Date
    Feb 2012
    Location
    Dallas, Texas
    Posts
    807

    "Memcrashed" - Major amplification attacks from UDP port 11211 - DDoS Attacks

    Cloudflare confirmed earlier today what a lot of providers already knew, since around the 20th of February large UDP attacks have been banging on the door of networks around the world.

    A commit to the memcache github in 2008 by Brian Aker which enabled UDP by default for the memcache service now has an unforeseen consequence.

    According to Rapid7’s Project Sonar, there are over 100,000 exposed memcached servers at any given time. "Memcached over UDP makes for an ideal amplifier — the spoofed source requests from an attacker are tiny, and the resulting replies to the spoofed source can be enormous."

    Attacks so far have peaked around 260Gbps.

    https://www.arbornetworks.com/blog/a...commendations/
    https://blog.cloudflare.com/memcrash...om-port-11211/
    https://blog.rapid7.com/2018/02/27/t...of-memcrashed/
    Swiftnode.net − Performance VPS, Dedicated Servers & Game Servers
    12 Global Locations − North America, Europe, Japan, India, and Australia
    Always-On DDoS Mitigation (UDP & TCP) − Optimized Routing − 24/7 Support

  2. #2
    Join Date
    Mar 2013
    Location
    North and South America
    Posts
    192
    US-CERT Alert (TA14-017A)
    UDP-Based Amplification Attacks

    https://www.us-cert.gov/ncas/alerts/TA14-017A

  3. #3
    Join Date
    Mar 2007
    Posts
    2,050
    This is old news to me, found this issue back in day due to running extremely secure environments and conducting penetration tests against all services. Resolution was to only allow local connections to memcached per server if it was web accessible. UDP is normally faster than TCP, and no need to disable it if it is not publicly accessible. The speed is exactly why it should be used for local trusted connections (e.g. not for shared hosting) with proper firewall rules in place so only traffic that is intended can be accessed (web, mail, etc.) and everything else logged and dropped with administrative capabilities accessible only via VPN over a private secure network.

  4. #4
    We also had faced this attack and the first thing to look at is your bandwidth port, if it streches upto full then you're already became the victim.

    We simply made memcache to listen to private ip and issue got fixed.

  5. #5
    Join Date
    Feb 2012
    Location
    Dallas, Texas
    Posts
    807
    Quote Originally Posted by helpdesk View Post
    We also had faced this attack and the first thing to look at is your bandwidth port, if it streches upto full then you're already became the victim.

    We simply made memcache to listen to private ip and issue got fixed.
    It doesn't sound like you were the victim, but rather part of the attack.

    These attacks work by spoofing a victim IP to a bunch of public Memcache servers, since your memcache server sounds like it was open to the internet, you were likely being used as a "zombie" in attacks on others.

    I say this because, if you were the target of the attack, you wouldn't have any success simply moving your memcache service to a private address.
    Swiftnode.net − Performance VPS, Dedicated Servers & Game Servers
    12 Global Locations − North America, Europe, Japan, India, and Australia
    Always-On DDoS Mitigation (UDP & TCP) − Optimized Routing − 24/7 Support

  6. #6
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    Github hit with this at 1.35Tbps sized attack https://githubengineering.com/ddos-incident-report/
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  7. #7

  8. #8
    Quote Originally Posted by Swiftnode View Post
    It doesn't sound like you were the victim, but rather part of the attack.

    These attacks work by spoofing a victim IP to a bunch of public Memcache servers, since your memcache server sounds like it was open to the internet, you were likely being used as a "zombie" in attacks on others.

    I say this because, if you were the target of the attack, you wouldn't have any success simply moving your memcache service to a private address.
    Sorry for the delay in getting back to this thread. Yes you're correct, we were part of the attack !

Similar Threads

  1. How can I prevent outgoing ddos attacks from VPS
    By hostlittle in forum VPS Hosting
    Replies: 6
    Last Post: 02-18-2015, 10:39 PM
  2. DDoS attacks from port 1900 origin
    By alexnuke in forum Dedicated Server
    Replies: 5
    Last Post: 11-30-2014, 02:03 PM
  3. Replies: 0
    Last Post: 02-14-2013, 04:54 AM
  4. Replies: 0
    Last Post: 01-16-2013, 09:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •