UNDER ATTACK?
2022 1HY Report_Cover-2-1

In the first half of 2022, the total attack count and average attack size increased by 75.60% and decreased by 55.97% respectively compared to the figures recorded in the second half of 2021.  Learn More

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Nexusguard Product Nexusguard Product
May 16, 2023

Connecting Your Network to the World: The Fastest Route to Global Peering

Nexusguard Product Nexusguard Product
May 11, 2023

Why DDoS attacks to ISPs cause major downtime for its customers?

Nexusguard Product Nexusguard Product
May 08, 2023

What role should ISPs play in combating DDoS attacks?

Featured Stories

Blog Home
Nexusguard Research
By
March 02, 2018

Mitigating the record-setting Memcached DDoS attacks

  DDoS Cyber Attack Memcached Attack Amplification Attack

At 2:28 GMT on 28th of February, Nexusguard successfully mitigated a 260Gbps attack bound for a customer operating an investment trading website. While attacks of such magnitude have lately become common for our Security Operations Centre (SOC), what makes this a significant mention is that the attack exploited vulnerable Memcached servers to achieve record setting efficiencies previously unseen.


At 51,000 times, the record-setting amplification effect achieved by abusing vulnerable Memcached servers greatly surpasses anything seen before, presenting an unprecedented threat that could take down practically any network on the internet.


Banner for ports.ai.png
To put into perspective how intimidating this new threat is, the 2016 attack on DNS provider DynDNS that knocked major internet platforms and services in Europe and North America offline had an average amplification factor of 55. According to US-Cert, the bandwidth amplification factor for most commonly seen DNS-based attacks is 54.

Based on an analysis of our logs, attackers exploited a critical security flaw found on Memcached servers, mostly deployed by reputed organizations in the US, France and Vietnam. Those whose Memcached servers found to have been abused range from leading domain registrars, hosting companies and ISPs to reputable universities and government agencies.

Memcached servers are usually deployed by organizations to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read. The vulnerability stems from unprotected Memcached servers that are typically not made accessible on the internet.

By sending small and spoofed UDP requests to vulnerable Memcached servers, attackers were able to generate responses 51,000 times that of the original request to the intended target. From the actual attacks observed, a 1,428-byte request generated a 714-megabyte response. This is akin to a stranger asking “How are you?”, and you respond with your entire medical history and genetics information.

Large organizations are therefore recommended to secure and harden Memcached servers by implementing access control and closing off non-essential UDP ports.

 

Related blog post:

To The Uninitiated, The Threat Of Memcached Attacks Can Indeed Be Daunting

Popular Stories

VAPT on Static Website Aug 26, 2019
Preventing Slow HTTP Attacks Nov 08, 2021
CVE-2022-26134: Zero-Day Vulnerability in Atlassian Confluence Server and Data Center Jun 22, 2022
At 51,000 times, the record-setting amplification effect achieved by abusing vulnerable Memcached servers greatly surpasses anything seen before.


Related articles

COVID-19 pandemic causing the most significant increase in DDoS attacks ever

How Vietnam networks unwittingly expose themselves to IoT botnet exploits

Communications Service Providers (CSPs) are being brought to their knees by “Bit-and-Piece” attacks that fly under the radar

SOLUTIONS
PRODUCTS & SERVICES
PARTNERS
ACADEMY
RESOURCES
ABOUT US

© 2023 Nexusguard - All Rights Reserved. Read Our Privacy Policy.