Tuesday, March 5, 2024

Hackers Abused Memcached Servers for high-bandwidth Amplification DDoS Attacks

Attackers abused vulnerable Memcached Servers to launch high-bandwidth DDoS attacks and there is a huge increase observed in this attack vector.

Memcached is a memory caching system used to speed up a dynamic database of the websites by caching the data in RAM which can increase the loading time by reducing the number of times an external data source must be read.

It is a middleware so it lacks access controls and it should not be exposed to the public Internet, according to Shodan reports there are around 88,000 open Memcached servers found.

If the UDP port(11211) is opened then attackers can exploit by sending thousands of forged requests to a vulnerable UDP server and servers process the request without knowing it is forged one, which results in overwhelming of its resources.

Cloudflare says a carefully carfted technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) “amplifying” the attacker’s bandwidth.

Also Read DDoS attack prevention method on your enterprise’s systems – A Detailed Report

According to DDoS Threat Landscape, the Memcached graph is almost flat and the spike is only just for a couple of the days.

Memcached Servers

Cloudflare says at peak it generated 260Gbps of inbound UDP traffic and the majority of the packets size is 1400 bytes. Doing the math 23Mpps x 1400 bytes gives 257Gbps of bandwidth.

Launching the attack is quite simple, all attacker need is to embed a large payload on an exposed Memcached server and then the attacker spoofs the “get” request message with target Source IP.

The Vulnerable Memcached servers present all over the globe and according to Shodan search reports, there are 88,000 open Memcached servers.

Memcached Servers

Security researchers recommended disabling the UDP support if it is not in use and to place the Memcached servers behind the Firewall. Also, it is recommended to specify Memcached servers to listen only on localhost.

Reports on Memcache DDoS Attacks published by Cloudflare and arbornetworks.


Latest articles

GTPDOOR – Previously Unknown Linux Malware Attack Telecom Networks

Researchers have discovered a new backdoor named GTPDOOR that targets telecommunication network systems within...

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles