Memcached DDoS Explained

A Memcached Distributed Denial of Service (DDoS) attack is a cyber attack aimed at Memcached, a database caching system designed to speed up websites and networks. It works by flooding a website or application with traffic to crash the servers.

How does Memcached work?

Memcache is a distributed memory caching system. Its purpose is to help websites and applications load content faster by temporarily storing content on devices, which can then efficiently load when the visitor comes back to the website.

Memcache vulnerabilities

As open-source software, Memcached could be vulnerable to attacks. This became apparent in 2018 when a new form of DDoS attack was launched. Cyber attackers sent spoof requests, which mask the real identity of a sender by cloaking their IP address, to a vulnerable UDP Memcached server.

A UDP, or User Datagram Protocol, is particularly vulnerable as it allows data to be transferred before the end receiving party agrees to the communication, for example, a quick video playback. Hackers sent these spoof requests to the server, flooding the victims with high volumes of traffic and crashing the servers.

As with traditional DDoS attacks, Memcached attacks result in an overloaded server, denying service to genuine website users.

One step up from Mirai Botnet

Prior to the Memcache attack, the biggest DDoS threat was the Mirai Botnet malware, first discovered by MalwareMustDie in August 2016. At the time, it was involved in some of the largest DDoS attacks in history, including well-publicized cases such as the attack on security journalist Brian Krebs.

The team at Akamai went straight to work on mitigating attacks from Mirai Botnet malware, and now provides solutions to protect against any further threats from this source.

Largest DDoS Attack Ever Detected — Twice the Size of 2017 Mirai Botnet

Are you protected?

Having successfully protected against Mirai Botnet, Akamai is now compiling its resources to help enterprises fend off any potential attacks from Memcached malware.

On February 28, 2018, one of Akamai experienced a 1.3 TBps DDoS attack against one of our customers, driven by the memcached reflection. This is the largest attack seen to date by Akamai, more than twice the size of the Mirai botnet attack mitigated by Akamai in 2017.

In response, Akamai created the Prolexic Platform. This software was able to successfully moderated the attack by filtering all traffic sourced from UDP port 11211.

The UDP port 11211 is the default port used by Memcached. Akamai was able to detect this and prevent server-crashing damage to its clients.

Memcache DDoS protection

In order to protect against attacks of this nature, Akamai is now publishing a series of resources, which will help to recognize potential threats. The team is also offering a consultancy service for those who think they might be affected.

If you think you might be vulnerable to a Memcache UDP attack, please call us, toll free, on 1.877.425.2624. Alternatively, contact the DDoS Attack Hotline and arrange a call back.

Find out more about Memcached DDoS tools with our online resources

At Akamai, we always like to stay one step ahead of the curve. Read our experts’ reports to find out more and keep yourself safe from Memcached DDoS.