Lately, Distributed Denial of Service (DDoS) attacks have grown in popularity and effectiveness, undermining internet security. March kicked off with the most powerful DDoS attack in history: 1.35 terabytes of traffic hit GitHub, the collaborative developer platform. However, just a few days later, a new threat thwarted by Arbor Networks smashed that record, with a 1.7Tbps attack. Unlike the DDoS attack that Dyn suffered in 2016, these recent attacks used a method that is increasingly popular with cybercriminals and does not require botnets. Criminals take advantage of vulnerabilities of thousands of improperly configured Memcached servers to launch attacks.

 Record-breaking attacks

Memcached has become cybercriminals’ weapon of choice to carry out DDoS attacks. Memcached is a memory object caching system used to speed up web applications by reducing database load. Over the last couple of weeks, cybercriminals have intensified their efforts to exploit vulnerabilities in the Memcached protocol to try to launch record-breaking amplification attacks. What do these vulnerabilities consist of?

Around 100,000 Memcached servers are exposed without any authentication protection. This means that a cybercriminal can access them and send large volumes of data to try to saturate the servers, maximizing the servers’ response rates. That’s why attackers make use of these unprotected servers to increase attacks against a target. They spoof the IP address of their victims and send several data packets to Memcached servers which are designed to offer a more direct and faster response. The result: the system responds by flooding the victim with internet traffic.  With high amounts of traffic sent per second – it’s estimated around 10 packets per second – the Memcached server amplifies the amount of traffic sent to a target. That’s why if the system lacks a sufficient filter, the huge wave of data sent can be more than enough to cause an outage.

In contrast to other DDoS threats, such as the Dyn attack, carrying out Memcached attacks is relatively simple. This is because it is not necessary to use botnets to generate the amount of traffic necessary to paralyze a system or network.  The ease of carrying out these types of attacks, together with the existence of thousands of vulnerable Memcached servers, has made this threat one of this year’s main attack vectors.

How can I be prepared to deal with these attacks?

Some experts believe that Memcached-based attacks will continue to increase and could even exceed two terabytes per second. Futhermore, many attackers that use this specific type of DDoS attack are already beginning to monetize these types of attacks. Attackers take advantage of these vulnerabilities to extort their victims.

However, the good news is that some measures and tools are being developed to prevent and neutralize these attacks. Different security experts have revealed a technique that victims of DDoS attacks can use to stop attacks while they are happening. It consists in sending commands such as “shutdown \ r \ n”, o “flush_all \ r \ n” to the Memcached servers under attack to deactivate them and avoid amplification. Another effective way of preventing this type of threat consists in disabling the Memcached protocol of any server exposed to the network.

It’s obvious that cybercriminals will take advantage of Memcached server vulnerabilities to launch DDoS attacks in 2018. Therefore, in addition to the already mentioned measures to prevent possible Memcached attacks, it is crucial to have  a detection and mitigation plan. It’s recommended to review in detail router and firewall configurations to stop all invalid IP addresses. It’s also advisable to limit traffic from a host to prevent saturating servers. A plan should also include a periodic study of TCP/UDP connections with the server to identify patterns of attack.

Above all, you should constantly monitor traffic on your company’s network to prevent unauthorized access. Solutions such as Panda Adaptive Defense 360 offer detailed visibility of all endpoint activity, complete control of all running processes and reduce the attack surface.  With this approach, your company will be prepared to deal with any type of DDoS attack head on.