The latest "reflection attack" gooses Denial of Service attacks by a factor of 51,000

To launch an effective Denial of Service attack, your bots need to overwhelm your target with a flood of requests; the more bandwidth and computing-power your target has, the more you need to knock them off the internet.


DDoS attackers use hijacked bots to knock their victims offline, but they can supercharge these bots with "reflection attacks" — getting the bots to send forged requests to public internet servers that appear to originate with the target system, forcing the target system to cope with the larger, more computationally demanding requests from these systems.


Historically, reflection attacks have used the internet's Domain Name Service and networked time servers to magnify their power by 50-58 fold.

But a new kind of attack, already observed in the wild, is achieving magnification levels of 51,000X — thanks to a bug in a caching program called "memcached" that uses a database to speed up websites and networked services.

Over the past week, attackers who've exploited memcached have mustered 500gbps floods, using a small fraction of the available memcached services (only 6,000 of the internet's 88,000 have been recruited to date) — meaning that the situation could get much worse.

However, memcached systems generally don't need to be exposed to the public internet to work; if those 88,000 systems are put behind company firewalls, it could stop these attacks in their tracks.

Reflection attacks also show up in the offline world. The kinds of broken people who are susceptible to the messages of marginal figures like Milo Yiannopoulos are spread out very thinly, so he can't reach them in a cost-effective way on his own: but by tricking us into repeating his outrageous statements, Yiannopoulos can amplify his message, getting it into every corner of the discourse, making sure that those few, far-between souls who are vulnerable to him hear what he has to say.


The attacks work because a variety of networks is exposing memcached servers to the Internet in their default unsecured configuration. Generally speaking, memcached systems should be reachable only on local networks and should be kept securely behind a firewall. So far, attacks have come from slightly more than 5,700 unique IP addresses, mostly in North America and Europe.

"I suspect that most of these memcached servers don't need to be on the public Internet," Graham-Cumming said. "It's just a mistake." He said his concern about worsening attacks is fueled by the previously mentioned availability of more than 88,000 poorly secured memcached servers, as measured by the Shodan search engine.


Memcrashed – Major amplification attacks from UDP port 11211 [ Marek Majkowski/Cloudflare]
In-the-wild DDoSes use new way to achieve unthinkable sizes [Dan Goodin/Ars Technica]


memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations [Roland Dobbins/Arbor Networks]