This information was sent to U-M IT staff groups via email on February 28, 2018. It is intended for U-M IT staff who are responsible for university servers that utilize memcached.
The memcached service should not be exposed to the internet or to any untrusted users. Misconfigured servers that externally expose the memcached service are vulnerable to exploitation to perform amplified Distributed Denial of Service (DDoS) attacks. Misconfigured servers may also expose sensitive or critical data to attackers.
Multiple security vendors this week are warning about threat actors exploiting unprotected memcached servers to launch dangerously large DDoS attacks against target organizations. Even though exposure of the memcached service has been known to be a security risk for some time, widespread exploitation to perform DDoS attacks utilizing techniques that result in very large amplification of attack traffic was not previously known to be common.
Servers with the memcached service exposed to the internet. Memcached is open source software that is often used to improve web application performance.
Information Assurance asks that U-M units and IT staff follow this standard advice:
- Report suspected serious incidents as required by Information Security Incident Reporting (SPG 601.25) (which would include "active threats" such as active DDoS attacks).
- Only expose services to the internet when necessary (minimize attack surface), especially when those services are likely to be abused and could lead to serious incidents.
IA is tracking this threat and will take action as appropriate. In addition, the university utilizes Merit's DDoS protection service, which provides both protection from—and notification of—DDoS attacks.
Memcached, when exposed to the internet, poses a threat to other networks and systems. An attacker can bounce an attack off of the exposed service to perform an amplified DDoS attack against the recipient of the reflected traffic. In some cases, this is not a significant threat to the system running the exposed memcached service and only results in significant negative impact for the recipient of the reflected traffic. However, in the default configuration for memcached that does not require authentication, an attacker could also gain access to any sensitive data stored in memcached and/or manipulate critical data within memcached.
This amplification attack uses the memcached protocol on User Datagram Protocol (UDP) port 11211. Certain commands to UDP protocols elicit responses that are much larger than the initial request. In some cases, a single packet can generate many times the original bandwidth. When combined with a reflective DoS attack using multiple amplifiers and targeting a single victim, the attacks can be conducted with relative ease. The best-known vectors for these DDoS amplification attacks are poorly-secured domain name system resolution servers and NTP servers that support the “monlist” command, which can amplify attack traffic as much as 50 or 60 times. Recent estimates indicate that the memcached service may provide amplification factors that allow an attacker to multiply the initial attack traffic by 9,000 times or more and perform large DDoS attacks using a relatively small number of vulnerable memcached services.
- Surge in memcached-based reflected DDoS attacks is due to misconfigured servers (HelpNetSecurity, 2/28/18)
- Memcached Servers Being Exploited in Huge DDoS Attacks (Dark Reading, 2/27/18)
- In-the-wild DDoSes use new way to achieve unthinkable sizes (Ars Technica, 2/27/18)
- Alert (TA14-017A): UDP-Based Amplification Attacks (US-CERT, last revised 2/28/18)
- Memcrashed - Major amplification attacks from UDP port 11211 (Cloudflare, 2/27/18)
- Why We Don't Deserve the Internet: Memcached Reflected DDoS Attacks (SANS ISC InfoSec Forums, 2/27/18)
- How did this Memcache thing happen? (SANS ISC InfoSec Forums, 2/28/18)
- Advisory: Preventing NTP Amplification Attacks (Safe Computing, 1/29/14)
- Memcached Security (Dustin Sallings, 8/8/10)