Delaware, USA – March 1, 2018 – Researchers from Cloudflare reported that in recent massive DDoS attacks adversaries began to abuse memcached protocol. The abuse of widespread memcached servers allows them to amplify initial attack in more than 50,000 times. By sending 15 bytes of request to the vulnerable server to UDP port 11211, the attackers initiate sending a packet up to 750KB to the attacked server. Despite the fact that in recent attacks not so many IPs were involved, spikes of attacks reached 260Gbps of inbound traffic. So far, less than 6,000 memcached servers were involved in recorded attacks, but according to Shodan there are about 88,000 vulnerable servers, and in the near future we can face much more strong attacks. Most of the vulnerable servers are located in the US and China.
If your organization uses memcached servers, make sure that they are protected by a firewall and can not be accessed through UDP. To detect the beginning of a DDoS attack, you can use Netflow Security Monitor use case, which allows your SIEM to monitor data flows and notify the administrator of any deviations detected. This use case generates historical trends for SSH, DNS, RDP and enables quick decisions on traffic spikes.