‘Tiny call, giant reply’ junk traffic attacks aided by 100,000 vulnerable servers

Cybercriminals directing junk traffic at targets have recently started using an “obscure” trick to supercharge puny bandwidth attacks.

Distributed denial of service (DDoS) attackers are abusing “memcached" or memory caching servers to massively amplify attacks on victims. Memcache systems are used by websites for caching memory to optimize performance of sites that rely on external databases.      

DDoS attacks have long used various ‘reflection’ techniques to amplify their impact by sending packets to multiple ‘reflector’ servers that each reply with a larger number of packets that are then directed to a server of the attacker’s choice. 

The attack enables extortion and threats, for example, between online gaming groups and has in the past been linked to activists’ actions. 

Reflector servers receive fake or spoofed packets, which fool it into sending larger responses to a targeted server. With the aid of thousands of reflector servers, malicious traffic measured at megabit per second rates can grow to tens or hundreds of gigabits per second. 

Researches at website optimization firm Cloudflare discovered that DDoS attackers recently started using the memcached protocol and servers that support the Internet protocol UDP to magnify attacks. 

This particular amplification attack allowed was rare in that it was both obscure and allowed them to dramatically amplify the attack by exploiting the difference between request and response, according to Clouflare engineer Marek Majkowski.

The attack has enabled reflection attacks that generate 260 Gbps of inbound UDP memcached traffic. CloudFlare has previously recorded DDoS reflection attacks at 100 Gbps. 

The memcached attack was “massive for a new amplification vector”, said Majkowski, and generated a response that was 51,200 times the size of the request. 

Read more: GitHub clobbered by record-breaking 1.35 Tbps ‘memcached’ DDoS

"15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we've seen a 15 byte request result in a 750kB response (that's a 51,200x amplification),” the engineer noted.

Majkowski said it’s seen vulnerable memcached servers around the world with a higher concentration in Europe and North America. 

Security firm Rapid7’s internet scanning software, Project Sonar, currently detects over 100,000 exposed memcached servers on the internet. It observed a spike memcached probes on February 20, roughly lining up with Cloudflare’s detections.     

To resolve the issue for victims being abused by vulnerable memeached servers, he urged users to disable UDP support if it is not being used. Admins should shield memcached servers behind firewall, while ISPs need to address the bigger problem stemming from allowing fake IP addresses to be used on the internet.   

Tags ddosmemcachedCloudFlarereflection amplification technique

Show Comments