Memcached reflection denial-of-service

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:55pm, 28 February 2018

TLP Rating: Clear

Memcached reflection denial-of-service

CERT NZ has been informed of an active attack that is using memcached servers to perform a reflected denial-of-service (DoS) attack.

This allows attackers to send queries to the memcached servers on port UDP/11211 or TCP/11211 and spoof the source IP and port (the target). The response would be amplified and reflected back to the target as a DoS attack.

CERT NZ is aware that this attack is active. Because of this, we strongly recommend you investigate your servers as soon as possible to prevent them from being used in an attack.

What's happening

Systems affected

Memcached servers that have UDP/11211 or TCP/11211 open and are internet-accessible.

This attack requires the memcached server to be misconfigured. It is prudent to work on the basis that all memcached servers are affected until they are investigated.

Memcached servers that are 1.2.7 or later and using default configurations should be assessed immediately.

What this means

All affected servers need to be updated with recommended mitigations to prevent the server from being used in this reflection attack.

What to look for

How to tell if you're at risk

If you are using a memcached server that is misconfigured you are at risk of being used to carry out a reflection attack.

These are largely used in internet data centre or infrastructure-as-a-service networks.

What to do

Mitigation

Ensure that memcached servers are configured to use industry-standard best current practices (BCP). This includes:

  • using source-address validation to filter ingress traffic (BCP38/BCP84)
  • using access control lists (ACL) to restrict source IP addresses/ports and limit traffic.

 Details about these mitigations can be found at:

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ External Link

https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ External Link

More information