How was Memcached Used For Largest DDos Attack Ever Recorded

GitHub became the victim of the largest DDos attack with 1.3 terabits per second of traffic hitting the platform all at once-interesting thing of this attack was that it required no botnet as typical DDos attack require botnets.

Real time traffic from the DDos attack

So instead of botnets attack was caused through Memcached Servers .

Now we will see what is Memcached and how was it used to create such high volumes of traffic.

What is Memcached?

Wikipedia describes Memcached as a general-purpose distributed memory caching system, but what exactly does the term Memcached mean? Cache is memory used to store the most frequently used resources (e.g. browsers store every website visited during a session in cache), because accessing resources from a cache is faster than accessing them from a disk drive. So Memcached means “memorycached” which simply is caching resources in the memory. These resources can be data retrieved from  database operations or  HTML pages. The data is stored in key/value pairs in the form of large hash tables.

As distributed system is part of the Memcached definition, you can install Memcached on various servers to make a larger caching server. In this way, Memcached helps reduce database loads to a minimum, resulting in faster and more responsive Web applications.

Memcached is best implemented for queries that are triggered multiple times in a second and demand huge data as output. Access to Memcached data is faster than the access time to disk drives because the Memcached data is stored in temporary memory.

How was it used to create traffic?

As Memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim and send small queries to multiple memcached servers—that are designed to elicit a much larger response. The memcached systems then returns large output data of the requests back to the victim.

It is difficult to determine the exact amplification factor of memcached, but the attacks Akamai saw generated nearly 1 Gbps per reflector.

Spoof of IP address is possible because memcached uses UDP  transfer protocol(which is unreliable and doesn’t require connection)

How Amplification Works

Whats the Solution?

For attackers the beauty of memcached DDoS attacks is there’s no malware to distribute, and no botnet to maintain.

  • Primary solution to memcached attacks is to not have the reflectors exposed to the internet. However, relying on remote systems administrators to remove their servers from the internet is not a solution likely to see immediate results.
  • Set up a firewall to ensure your memcached service is only accessible from the trusted hosts that require access to the service. Block all access to the service from the public Internet.

The developers behind memcached say that the latest version, Memcached 1.5.6, “disables the UDP protocol by default.”