Recent Surge in Memcached-Based DDoS Attacks Targets Major Online Services
A new report indicates a dramatic rise in cyber attacks leveraging Memcached reflections, sparking concern across the cybersecurity community. In just ten days, nearly 15,000 attacks have targeted 7,131 unique online entities, marking one of the largest spikes in DDoS (Distributed Denial-of-Service) activities in recent history. These Memcached-based DDoS attacks have been linked to the two most substantial amplification attacks documented to date.
The cyber threat detection platform, Netlab from Qihoo 360, first identified these Memcached DDoS attacks and subsequently detailed the escalation through their monitoring service, DDosMon. A blog post published by the organization highlighted specific statistics regarding the affected targets and the sources of these attacks. Notably, prominent websites such as Google, Amazon, PlayStation, and GitHub were among those significantly impacted, with GitHub experiencing a staggering 1.35 Tbps attack.
The geographical distribution of the victims primarily includes countries like the United States, China, South Korea, and several nations in Europe, including Germany and France. This widespread impact underscores the global nature of the threat, affecting diverse industries and sectors.
Analysis from Netlab reveals that prior to February 24th—the date the vulnerabilities were first observed—the average daily incidents were fewer than 50. However, between February 24th and 28th, while the Memcached amplification technique was still under the radar for most, that number surged to an average of 372 daily attacks. Following the first public disclosures on February 27th, the rate escalated further, exceeding 13,000 total incidents from March 1st to 8th, averaging 1,628 daily occurrences.
The researchers at Netlab originally identified the Memcached vulnerability in June 2017 and presented their findings at a conference in November of that same year. Despite this early caution, they noted an alarming revival of Memcached DDoS incidents more recently. During these upticks, the maximum count of active vulnerable Memcached servers reached about 20,612, contributing to the Distributed Reflection Denial of Service (DRDoS) onslaughts.
With the proliferation of accessible exploit codes, cybersecurity experts anticipate that, without immediate countermeasures, the number of Memcached-based DDoS attacks could escalate into the hundreds of thousands in the days ahead. Researchers have also outlined mitigation tactics, including a so-called ‘kill-switch’ technique designed to aid victims in defending against such intrusions more effectively.
Despite warnings from the cybersecurity community, over 12,000 Memcached servers with UDP capabilities remain exposed on the Internet, continuing to pose threats for amplification attacks. It is strongly recommended that server administrators upgrade to the latest version of Memcached, which disables UDP by default, thereby helping to protect against these forms of DDoS attacks.
From a cybersecurity perspective, the tactics displayed in this recent wave of attacks align with various adversarial techniques noted in the MITRE ATT&CK framework. These include tactics such as initial access via the exploitation of publicly accessible services and potentially utilizing reflection and amplification methods to escalate the impact of their attacks. Business owners overseeing online services must remain vigilant and proactive in implementing defenses to curb the risks associated with such vulnerabilities and attacks.