According to Cloudlfare, DDOS attacks have been carried out from exposed memcached servers over the past few days. It has been reported that a large increase of obscure amplification attacks came from UDP port 11211.
What Caused These Attacks?
All amplification attacks work in similar ways, with an IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. Thousands of responses are delivered to an unsuspecting target host, unbeknownst to the user, inundating its resources and the network itself. Amplification attacks are effective because the response packets are much larger than the request packets.
The number of memcached attacks were relatively normal until earlier this week, when a flare up occurred. According to Marek Majkowski from Cloudflare, the majority of packets are 1400 bytes in size, producing 257Gbps of bandwidth.
What Areas These Attacks Are Being Found
According to Cloudflare, vulnerable servers were mostly concentrated in North America and Europe. Most of these vulnerable servers are located in major hosting providers, causing a large amount of attacking IPs.
How to Stop These DDos Attacks
Memcached users should disable UDP support if not in use; it is usually enabled by default. Firewalls should be setup to restrict traffic flow to memcached servers. If you must use UDP, remember to respond with strictly a smaller packet size then the request.
Cloudflare believes the ultimate solution to stopping amplification attacks for good is fixing vulnerable protocols and end IP-spoofing. As long as IP-spoofing is possible, these attacks will continue to occur.