This week, data from the Alibaba Cloud Security DDoS Monitoring Center shows that the trend of DDoS attacks using Memcached is heating up rapidly. Yesterday, Alibaba Cloud successfully monitored and defended against a Memcached DDoS reflection attack with a traffic of up to 758.6Gbps.
The following is a packet capture sample of a Memcached reflective DDoS attack, which can be quickly distinguished from the characteristics of UDP protocol + source port 11211.
In this attack, the attacker forges the victim's IP to make a large number of requests to Memcached's services on the Internet that can be exploited, and Memcached responds to the requests. A large number of response packets are converged to the forged IP address source (i.e., the victim) to form a reflective distributed denial-of-service attack.
The concern is that Memcached can amplify packets tens of thousands of times, that is, the returned packet size is tens of thousands of times the size of the request, and attackers can launch DDoS attacks with huge traffic using very little bandwidth. NTP and SSDP reflection attacks can generally only be amplified by tens to hundreds of times. Memcached amplification reflects DDoS attacks because of its magnification, which can be more destructive.
Attack posture
With the publicization of DDoS attack techniques using Memcached, more and more DDoS attempts to use Memcached for reflection are occurring, and this type of DDoS attack is on the rise rapidly.
Recently, hackers have scanned and collected MemcachedIP that can be exploited around the world, and a large number of tentative ultra-high-traffic Memcached DDoS attacks have appeared.
The number and harm of reflection points on the Internet at present
The entire Internet can be used for Memcached reflection of hundreds of thousands of IPs, providing attackers with a massive arsenal.
As the difficulty of initiating ultra-large DDoS decreases, IDCs and cloud service providers need to reserve more network bandwidth for defense, and it will be difficult for small and medium-sized IDCs to deal with such ultra-large-scale DDoS attacks.
Currently, Alibaba Cloud provides Memcached security configuration recommendations and provides repair guidance on Anknight to help cloud users fix Memcached risks. The UDP reflection blocking service is provided in the Anti-Pro IP.
(1) What is Memcached?
Memcached is a high-performance distributed in-memory object caching system used in dynamic web applications to offload databases. It reduces the number of database reads by caching data and objects in memory, improving the speed of dynamic, database-driven websites.
(2) What is the Memcached business scenario?
If the website contains dynamic pages with a lot of traffic, the load on the database will be high. Since most database requests are read operations, most business systems with high reads use Memcached to reduce database reads, and the implementation of caching function can significantly reduce the database load and improve website performance.
(3) Why is Memcached used to amplify DDoS attacks?
- Since Memcache (version earlier than 1.5.6) listens to UDP by default, it naturally satisfies the reflection DDoS condition
- Many users listen to the service at 0.0.0.0 without configuring the iptables rule, which can be requested by any source IP address
- Memcached reflects tens of thousands of times the multiple, which is very conducive to DDoS attacks that amplify the multiple of packets into large traffic
Alibaba Cloud security experts have two suggestions on how to prevent Memcached:
First, how to avoid being exploited as a Memcached reflector:
It is recommended to check and harden the running Memccached service to prevent unnecessary bandwidth traffic caused by hackers to launch DDoS attacks.
If your Memcached version is lower than 1.5.6 and you don't need to listen to UDP. You can restart Memcached to join the -U 0 startup parameter, e.g., Memcached -U 0, which prohibits listening on the udp protocol
More Memcached Service Security Hardening documentation:
https://help.aliyun.com/knowledge_detail/37553.html
If you have purchased Alibaba Cloud Shield Anknight, you can fix it according to the guidance on the Anknight console.
Second, how to protect against Memcached DDoS reflection attacks
It is recommended to optimize the service structure and disperse the service across multiple IPs.
Memcached makes it relatively easy to launch high-traffic DDoS attacks, and defending against Memcached attacks requires sufficient bandwidth. If you encounter a high-traffic reflection attack, you can purchase a cloud cleaning service and recommend a cloud cleaning service that filters UDP reflections. Alibaba Cloud Anti-DDoS Pro has launched UDP blocking services.
|
Posted on 3/2/2018 9:40:24 AM
|
|
|
Posted on 3/2/2018 10:05:56 AM
|
