What Are Memcached DDoS Attacks?

Memcached DDoS attacks are a dangerous type of DDoS attack carried out by using the victim’s internet traffic. The attacker sends heavy traffic to their target by exploiting requests made to a vulnerable UDP memcached server. At this point, congestion is created on the target system using the victim’s internet traffic, resulting in a denial of service.

When the target system’s internet infrastructure is overloaded, it becomes unable to function and cannot respond to legitimate traffic. At this point the cyber attacker will have achieved their goal through the denial of service attack.

Memcached is actually a caching system used to speed up websites and network traffic and to relieve server load.

How Are Memcached DDoS Attacks Carried Out?

Memcached DDoS attacks are carried out using NTP amplification or DNS amplification techniques. They operate in a similar way to other DDoS types.

The attack technique is initiated by sending fake requests to a vulnerable memcached server. The aim of this attack is to amplify the traffic volume by receiving a much larger data response than the original request.

Memcached servers have the ability to operate using the UDP protocol. They respond quickly and no authentication takes place. UDP is a network process in which both sides accept the communication without requiring a three-way handshake. Since the response given is many times larger than the request received, when a fake IP is used in the packet header, the server sends its response to the targeted system. This is the point at which the amplification technique is applied.

What Are the Steps of a Memcached DDoS Attack?

1. The cyber attacker sends large amounts of data to a vulnerable memcached server.
2. The attacker spoofs an HTTP GET request using the targeted victim’s IP address.
3. The memcached server responds by sending a volume of data many times larger than the request it received.
4. The targeted server is unable to handle the large volume of data sent by the memcached server, causing an excessive load on the system. The targeted server then receives traffic so heavy that it cannot process the responses, and a denial of service attack has taken place.

How Much Amplification Is Possible with Memcached DDoS Attacks?

The amplification or multiplication power of this type of attack can be astonishingly large. According to Cloudflare’s reports, an amplification factor of up to 51,000 times is achievable.

This means that a 15-byte data packet could elicit a 750 KB response. The cyber attacker gains enormous power at this point. By using multiple vulnerable memcached servers, massive volumes of data packets are sent in practice to opposing servers. Naturally, this also makes vulnerable memcached servers a target in DDoS attacks.

How Can Memcached DDoS Attacks Be Defended Against?

Several mitigation techniques are used against memcached servers that can send enormous amounts of data.

First and foremost, disabling UDP is one of the most important steps. The default-enabled UDP connection support can leave your server vulnerable to this type of attack.

Another mitigation measure is the firewall. You can also mitigate these attacks by preventing IP spoofing. Preventing IP spoofing is the first-choice method for blocking DDoS traffic coming from outside the network. Many ISP companies disable the spoofed IP feature. In other words, ISPs, organisations, and large companies try to prevent traffic leaving their networks from appearing to come from somewhere else.

Another way to eliminate amplification attacks is to disable the amplification factor for any incoming request. If the response to an incoming data packet is much smaller than or equal to the request, the amplification factor is eliminated.