ADVISORY: Memcached exposed to the internet is exploitable for DDoS attacks

Wednesday, February 28, 2018

This information was sent to U-M IT staff groups via email on February 28, 2018. It is intended for U-M IT staff who are responsible for university servers that utilize memcached.

Summary

The memcached service should not be exposed to the internet or to any untrusted users. Misconfigured servers that externally expose the memcached service are vulnerable to exploitation to perform amplified Distributed Denial of Service (DDoS) attacks. Misconfigured servers may also expose sensitive or critical data to attackers.

Problem

Multiple security vendors this week are warning about threat actors exploiting unprotected memcached servers to launch dangerously large DDoS attacks against target organizations. Even though exposure of the memcached service has been known to be a security risk for some time, widespread exploitation to perform DDoS attacks utilizing techniques that result in very large amplification of attack traffic was not previously known to be common.

Threats

Memcached, when exposed to the internet, poses a threat to other networks and systems. An attacker can bounce an attack off of the exposed service to perform an amplified DDoS attack against the recipient of the reflected traffic. In some cases, this is not a significant threat to the system running the exposed memcached service and only results in significant negative impact for the recipient of the reflected traffic. However, in the default configuration for memcached that does not require authentication, an attacker could also gain access to any sensitive data stored in memcached and/or manipulate critical data within memcached.

Affected Systems

Servers with the memcached service exposed to the internet. Memcached is open source software that is often used to improve web application performance.

Action Items

Information Assurance asks that U-M units and IT staff follow this standard advice:

  • Report suspected serious incidents as required by Information Security Incident Reporting (SPG 601.25) (which would include "active threats" such as active DDoS attacks).
  • Only expose services to the internet when necessary (minimize attack surface), especially when those services are likely to be abused and could lead to serious incidents.

IA is tracking this threat and will take action as appropriate. In addition, the university utilizes Merit's DDoS protection service, which provides both protection from—and notification of—DDoS attacks.

Technical Details

This amplification attack uses the memcached protocol on User Datagram Protocol (UDP) port 11211. Certain commands to UDP protocols elicit responses that are much larger than the initial request. In some cases, a single packet can generate many times the original bandwidth. When combined with a reflective DoS attack using multiple amplifiers and targeting a single victim, the attacks can be conducted with relative ease. The best-known vectors for these DDoS amplification attacks are poorly-secured domain name system resolution servers and NTP servers that support the “monlist” command, which can amplify attack traffic as much as 50 or 60 times. Recent estimates indicate that the memcached service may provide amplification factors that allow an attacker to multiply the initial attack traffic by 9,000 times or more and perform large DDoS attacks using a relatively small number of vulnerable memcached services.