Security Experts:

Connect with us

Hi, what are you looking for?



Memcached DDoS Attack ‘Kill Switch’ Found

Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.

Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.

The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.

Memcached is a free and open source memory caching system that can work with a large number of open connections. Memcached servers allow connections via TCP or UDP on port 11211, with access requiring no authentication, which is why the system wasn’t designed to be accessible from the Internet.

In late February, however, web protection companies warned that the protocol can be abused for DDoS amplification, after the first attacks using it started to emerge. Within days, record-setting 1.3Tbps and 1.7Tbs DDoS attacks were observed.

“The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic,” Corero explains.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

In fact, Corero claims that vulnerable Memcached servers can also be coaxed into divulging data cached from the local network or host, including confidential database records, website customer information, emails, API data, Hadoop information and more.

With no authentication required, an attacker can issue a simple debug command to retrieve the data. What’s more, the weakness can also be exploited to maliciously “modify the data and reinsert it into the cache,” the security company says.

The ‘kill switch’ that Corero has discovered would send a command back to an attacking server to suppress the DDoS exploitation. The countermeasure, the company explains, invalidates a vulnerable server’s cache, meaning that any potentially malicious payload that attackers might have planted will become useless.

The security firm claims it has tested the countermeasure quench packet on live attacking servers and that it proved fully effective, without causing collateral damage.

“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes,” Ashley Stephenson, CEO at Corero Network Security, commented.

The root cause of the problem, of course, is the poor security practices when setting up Memcached servers. Exposing them to the Internet is like leaving the front door open and expecting burglars not to barge in.

In a blog post last week, DigitalOcean pointed out that one option to mitigate attacks is “to bind Memcached to a local interface, disable UDP, and protect your server with conventional network security best practices.”

According to Victor Gevers, chairman of the GDI Foundation, upgrading or firewalling vulnerable Memcached servers on port 11211 should also prevent attacks.

Poorly secured Memcached servers don’t represent a new problem and many security experts, Gevers included, have long issued warnings in this regard. And while the problem might have been ignored until now, it becomes imperative to address it, as proof-of-concept (PoC) code for Memcached-based DDoS attacks has already been published online.

One of them, supposedly released for “educational and/or testing purposes only,” ended up on Pastebin, along with a list of around 17,000 hosts that can be abused for amplification. Another is a Python script that can leverage Shodan to scan for IPs of vulnerable Memcached servers.

Related: Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands

Related: Memcached Abused for DDoS Amplification Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.