A new wave of record-breaking distributed denial-of-service (DDoS) attacks have struck enterprises, changing the DDoS threat landscape yet again.
Last month, researchers discovered that attackers are abusing a previously obscure method that delivers attacks over 50,000 times their original size, the biggest amplification method ever used. The vector is memcached, a web-based database caching system that speeds up networks and websites by caching the most frequently retrieved data and keeping it in memory rather than getting it from the hard disk. This type of attack struck software platform GitHub and numerous other websites and services, launching DDoS attacks on a scale that the industry had never seen before.
Threat actors have discovered a flaw in the implementation of the UDP protocol for Memcached servers that allows anyone to launch massive DDoS attacks with little effort. With thousands of misconfigured Memcached servers exposed on the Internet, the risk of DDoS attacks increases. Jason Garbis, VP at Cyxtera commented below.
Jason Garbis, VP at Cyxtera:
“However, we expect to see some incredibly large DDoS attacks get executed because of unprotected memchached servers in the coming weeks. Owners of these servers need to take action to reduce the risk of being hijacked. Software-Defined Perimeter can ensure that only authorized users will be able to send UDP packets and this will prevent attackers from being able to harness these servers in a DDoS attack, and leverage them to amplify those attacks. Organizations should move quickly to address the threat and avoid being part of this wave. “
To avoid being attacked via Memcached servers, organizations need to ensure three things:
- Take inventory of any Internet-facing servers, and ensure that memcached is not inadvertently enabled.
- For any internet-facing servers that require memcached, consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets. This will prevent attackers from being able to harness these servers in a DDoS attack, and leverage them to amplify those attacks
- Also look at internal servers that are running memcached – an internal denial-of-service attack could also be launched from some locally-running malware