Recently, two proofs-of-concept (PoC) for exploit codes targeting Memcached amplification attacks have emerged online, enabling even those with minimal technical expertise to carry out significant DDoS attacks through UDP reflection methods. The first tool, developed in C, utilizes a pre-compiled list of nearly 17,000 potentially vulnerable Memcached servers publicly accessible on the Internet.
Meanwhile, the second tool is implemented in Python and leverages the Shodan search engine API to dynamically identify vulnerable Memcached servers. It also sends spoofed source UDP packets to these servers, making it easier for malicious actors to orchestrate attacks.
Recent events highlight the seriousness of this issue, as last week witnessed record-breaking DDoS attacks using the amplification technique. One of the most notable incidents involved a staggering 1.35 Tbps attack on GitHub, alongside another attack of 1.7 Tbps on an unnamed company based in the United States. These events serve to illustrate how the amplification/reflection attack strategy can be exploited due to unsecured Memorial servers.
To clarify, Memcached amplification attacks can magnify DDoS assault bandwidth by up to 51,000 times. This is achieved by exploiting numerous misconfigured Memcached servers left exposed online. Memcached, a widely-used open-source distributed memory caching system, can be misused when an attacker sends a forged request to a vulnerable server on the standard port (11211) using an IP address that matches their intended target. A small request can trigger vast responses directed towards the victim, effectively generating a powerful DDoS attack.
For those needing a comprehensive understanding of how these amplification attacks function, additional resources offer detailed explanations. With the recent discovery of Memcached as a viable vector for amplification and reflection attacks, certain hacking groups have commenced exploiting unsecured servers.
The situation has the potential to escalate, particularly given the release of exploitation code that now allows virtually anyone to instigate substantial DDoS attacks. The risk will remain until all vulnerable Memcached servers are properly patched, restricted through firewalls, or removed from service entirely. Cybercriminal organizations are already leveraging this new DDoS technique to threaten major websites for financial extortion.
Following the high-profile DDoS attack on GitHub, a prominent cybersecurity firm, Akamai, reported that its clients received extortion notices entangled with the standard burdensome attack payloads, demanding payments of 50 XMR (Monero coins)—valuing over $15,000.
The techniques involved in these attacks are not novel; attackers have previously used reflection and amplification tactics to exploit vulnerabilities in various protocols, including DNS and NTP among others, to enhance the severity of their cyber offensive.
To mitigate the risk and prevent Memcached servers from being utilized as reflection points, it is strongly recommended that administrators bind the servers to local interfaces only or entirely disable UDP support if it is unnecessary for the intended use.
As businesses navigate these evolving threats, vigilance is critical in securing network infrastructure against potential exploitation. By understanding the tactics listed in the MITRE ATT&CK framework, businesses can better protect themselves from becoming the next target of a grievous cyber assault.