Memcached DDoS Explained

A Memcached Distributed Denial of Service (DDoS) attack is a cyber attack aimed at Memcached, a database caching system designed to speed up websites and networks. It works by flooding a website or application with traffic to crash the servers.

How does Memcached work?

Memcache is a distributed memory caching system. Its purpose is to help websites and applications load content faster by temporarily storing content on devices, which can then efficiently load when the visitor comes back to the website.

Memcache vulnerabilities

As open-source software, Memcached could be vulnerable to attacks. This became apparent in 2018 when a new form of DDoS attack was launched. Cyber attackers sent spoof requests, which mask the real identity of a sender by cloaking their IP address, to a vulnerable UDP Memcached server.

A UDP, or User Datagram Protocol, is particularly vulnerable as it allows data to be transferred before the end receiving party agrees to the communication, for example, a quick video playback. Hackers sent these spoof requests to the server, flooding the victims with high volumes of traffic and crashing the servers.

As with traditional DDoS attacks, Memcached attacks result in an overloaded server, denying service to genuine website users.

One step up from Mirai Botnet

Prior to the Memcache attack, the biggest DDoS threat was the Mirai Botnet malware, first discovered by MalwareMustDie in August 2016. At the time, it was involved in some of the largest DDoS attacks in history, including well-publicized cases such as the attack on security journalist Brian Krebs.

The team at Akamai went straight to work on mitigating attacks from Mirai Botnet malware, and now provides solutions to protect against any further threats from this source.

Largest DDoS Attack Ever Detected — Twice the Size of 2017 Mirai Botnet

Are you protected?

Having successfully protected against Mirai Botnet, Akamai is now compiling its resources to help enterprises fend off any potential attacks from Memcached malware.

On February 28, 2018, one of Akamai experienced a 1.3 TBps DDoS attack against one of our customers, driven by the memcached reflection. This is the largest attack seen to date by Akamai, more than twice the size of the Mirai botnet attack mitigated by Akamai in 2017.

In response, Akamai created the Prolexic Platform. This software was able to successfully moderated the attack by filtering all traffic sourced from UDP port 11211.

The UDP port 11211 is the default port used by Memcached. Akamai was able to detect this and prevent server-crashing damage to its clients.

For more information on how Akamai mitigated this attack, read the latest blog post.

Memcache DDoS protection

n order to protect against attacks of this nature, Akamai is now publishing a series of resources, which will help to recognize potential threats. The team is also offering a consultancy service for those who think they might be affected.

If you think you might be vulnerable to a Memcache UDP attack, please call us, toll free, on 1.877.425.2624. Alternatively, contact the DDoS Attack Hotline and arrange a call back.

Find out more about Memcached DDoS tools with our online resources

At Akamai, we always like to stay one step ahead of the curve. Read our experts’ reports to find out more and keep yourself safe from Memcached DDoS.

DDoS Attack Resources

New Era for DDoS: Memcached Reflection Attacks
A new reflection and amplification DDoS vector in early 2018 changed the threat landscape, exposing massive DDoS resources. This brief explains the 1.3 Tbps attack mitigated by Akamai’s Prolexic DDoS protection service – and what it means for your DDoS defense.

[Blog] The newest and largest DDoS attack — memcached UDP explained
What is involved in memcached UDP attack, what weaknesses and systems does it exploit, and how can you prevent or recover from this type of new attack? Get the details and learn how to prepare for this risk.

[Report] Making a DDoS Protection Plan: 8 simple steps
Many organizations include DDoS in a disaster recovery plan, but that is a mistake. Attackers deliberately launch hundreds of DDoS attacks every day. Planning ahead and being prepared is a best practice for business operations and your best defense against DDoS attacks.

Defense By Design: How To Dampen DDoS Attacks With A Resilient Network
Distributed Denial of Service attacks cripple a target enterprise while commandeering massive resources across the Internet. Learn how Eugene Spafford, executive director emeritus at Purdue University, developed effective defenses against DDoS attacks by architecting a resilient network.

[Report] State of the Internet | Security Report
Gain insight from the Akamai Intelligent Platform™ on how the changing cyber security threat landscape can impact you and your organization.

[Report] Ponemon: The cost of web application and denial of service attacks
Ponemon Institute has released a report revealing that, based on a survey of more than 600 IT professionals, the costs incurred by organizations due to web application attacks and denial-of-service (DoS) attacks can easily add up to millions of dollars.