Cloudflare researchers recorded a rapid increase in the number of Distriubuted Denial of Service attacks, or DDoS attacks, with this new variation of attack using the memcached protocol, coming from UDP port 11211.
There are several methods for carrying out DDoS attacks, but the basic idea is almost the same regardless of the type of attack. The attacker performs IP spoofing and sends fake requests to a vulnerable servers port. Not knowing that the requests are fake, the server attempts to reply as if it were a regular request. The problem occurs when the server, or sometimes several servers sends thousands of replies to the attacked host, so many that all of the cards communication abilities are filled with trying to respond to the fake queries. Attacks using the enhanced methods are very effective, since the size of the response packets exceed the size of the request packets. As a result, an attacker, even with insignificant resources, can implement a powerful DDoS attack.
Researchers regularly record such attacks, but new, previously unknown methods, have started appearing more and more frequently. This includes, in particular, the Memcrashed attack, which involves augmenting the attack using memcached UDP. In recent days, the number of attacks Memcrashed began to grow rapidly.
“Attacks do not have a lot of packets per second, but the bandwidth is impressive. We recorded a peak of 260 Gb / s of incoming UDP memcached traffic. This is very much, as for the gain vector. However, the figures do not lie. This is possible, since the reflected packets are very large. The size of most packets is 1400 bytes. We make a simple calculation: 23 packets per second multiply by 1400 bytes and get 257 Gbps.” the researchers said.
Memcached servers are located around the world with the highest concentration in North America and Europe. IP spoofing is an attack method, which involves changing the “sender address” field of the IP packet. It is used to hide the true address of the attacker, and makes as easy scapegoat by using the victims IP address.