Several DDOS attacks have been carried out from exposed memcached servers over the past few days, according to Cloudflare. The company reported that there has been a large increase of obscure amplification attacks coming from UDP port 11211.
All amplification attacks work in similar ways. An IP-spoofing capable attacker sends a fake request to a vulnerable UDP server. Unknown to the server, thousands of responses are delivered to an unsuspecting target host, inundating its resources and the network itself. Amplification attacks are effective because the response packets are much larger than the request packets.
The number of memcached attacks were relatively normal, but a flare up occurred early this week. According to Marek Majkowski from Cloudflare, the majority of packets are 1400 bytes in size, giving 257Gbps of bandwidth.
According to Cloudflare, vulnerable servers were found all around the globe, with most of its concentration coming from North America and Europe. Most of these vulnerable servers are located in major hosting providers, causing a large number of attacking IPs.
If you are using memcached, disable UDP support if you are not using it; it is usually enabled by default. You should also setup firewalls that restrict your traffic flow to memcached servers. If you must use UDP, remember to respond with strictly a smaller packet size then the request.
Cloudflare believes the ultimate solution to stopping amplification attacks for good is fixing vulnerable protocols and end IP-spoofing. As long as IP-spoofing is possible, these attacks will continue to occur.