Memcrashed DDoS Now Available in BreakingPoint ATI Update
At the end of February, Cloudflare blogged about a new DDoS attack impacting its customers at speeds up to 260Gbps. Shortly after, China Telecom got hit, then Github, and then others, culminating with Arbor Networks reporting on a 1.7 Tbps flood. They all were caused by a new type of reflection attack that abused the protocol implementation of memcached. For those wondering what memcached is, it was developed as a caching daemon by Livejournal developers to speed up web page response time. It's now used by Google, Facebook, Twitter, and many other major web sites. It’s never supposed to be exposed to the Internet, but rather kept as internal resource service and that’s where misconfigured services aided in this attack.
As Cloudflare discussed on their excellent blog, the protocol is a perfect fit for those looking to get the biggest amplification out of a DDoS attack. Arbitrarily sized (in other words, "as large as you want them to be") objects can be stored in a listening memcached daemon with no authentication, and then retrieved over UDP once with no authentication. As we've discussed before, UDP-based protocols assist DDoS attackers by hiding the true source of the attacker (reflection) and increasing the effectiveness of the attack (amplification). In this case, once again, the victims source IP is spoofed by the attacker in the UDP request, thereby causing the memcached servers to send the unsolicited object to the victim.
BreakingPoint Super Flow ‘DDoS Memcached Reflection Flood’
When adding support for this attack, we already had an implementation of memcached, but like Cloudflare, we were caught unaware that it could also support UDP. Adding support for UDP wasn't as simple as changing the transport-level protocol, as there is some framing done on UDP-based memcached messages that isn't present in the TCP-based one. Notably, there is an eight-byte header inserted into every UDP datagram, which we added into our implementation.
UDP datagram header.
In our latest Strikepack update, ATI-2018-05, we've added a new Super Flow to test your device’s resilience against this attack. As usual, it's been tagged as a "DDoS," so it'll appear in the DDoS lab for easy testing, and with our new line cards, you can run these attacks up 2 Tbps per CloudStorm card.
Memcached response flood.
Showing thousands of bots attacking a single victim server.
The attack should also be mixed with legitimate traffic, like the data center application mix, to ensure the mitigation tool is able to maintain seamless traffic continuity while mitigating the memcached DDoS attack.
A pre-canned legitimate traffic mix in BreakingPoint that can be sent simultaneously with the attack.
Memcached’s popularity is on the rise and, considering its extremely high amplification factor, this may well become a popular reflection attack. Use BreakingPoint to understand the resiliency of your DDoS mitigation device or services not only against memcached, but also the 40+ other DDoS attacks that are available in the product.