Memcrached

The Memcached vulnerability has been used to create record-breaking distributed denial-of-service attacks. Memcached-based amplification/reflection attacks amplify the bandwidth of the DDoS attacks by a factor of around 50,000 by exploiting thousands of misconfigured Memcached servers that were left exposed on the Internet.

The attacks are trivial to implement, and do not need a botnet of computers in order to generate amounts of traffic necessary to bring a given system or network down. A few bytes of request sent to the vulnerable Memcached server can trigger tens of thousands of times bigger response against the targeted IP address.

  • Store a value object of up to 1MB in the Memcached server along with a unique key
  • Construct a get command UDP request command to the Memcached server with the key, and in the UDP packet spoof the IP address of the target/victim as the source IP.

Beginning 2018, two proofs-of-concept (PoC) exploit code for the Memcached amplification attack were released online: The first (https://pastebin.com/raw/ZiUeinae) is written in C and works with a pre-compiled list of vulnerable Memcached servers (and a bonus list of nearly 17,000 potential vulnerable Memcached servers left exposed on the Internet at that date). The second (https://github.com/649/Memcrashed-DDoS-Exploit/) is written in Python that uses the Shodan search engine API to obtain a fresh list of possible vulnerable Memcached servers.


  • Last modified: 2019/02/07 13:11