SBN Custom Signature Provides Protection in New Wave of DDoS Attacks

Only one week after a massive DDoS attack knocked GitHub offline, a new attack dubbed “Memcrash” used the same methods to hack a U.S. service provider by targeting memcache servers. In this case where almost 100,000 memcache servers were attacked, hackers used the memcached protocol, which enabled them to target UDP port 11211. Unsecured, exposed ports enabled hackers to implant large payloads on an exposed memcached server. As with most attacks, once in, damage can be done swiftly.

The magnitude of this kind of attack is something we just haven’t seen before. Because memcache is specifically designed to cache databases so websites and networks can speed performance, it also can dramatically increase the rapidity with which attacks occur by a factor of as much as 51,000.

DevOps Connect:DevSecOps @ RSAC 2022

In attacking UDP port 12111, attackers were able to implant a large payload on an exposed memcached server. Then, the attacker spoofs the “get” request message with target source IP. The lesson for any organization running memcache servers is, among other things, that it’s critical to be both rigorous in making authentication controls and passwords mandatory, but also have to use specifically designed controls to ensure UDP port 11211 is not exposed publicly.

From what we can tell now, AWS ElastiCache is most likely not affected by this attack, and even in cases where it is, the risk is very low. Even if an environment allowed Security Groups that are attached to ElastiCache to access an instance publicly (allow, ElastiCache clusters do not have a public IP address, and therefore cannot be accessed outside of the VPC.

Any organization running a memcache server should do two things: first, run AWS ElasticCache in VPC; and secondly, employ the custom signature which will help you ensure that your memcached instances/clusters are not exposed.

You can use our custom signature, or more specifically, ESP users can go to:

ESP > Signatures > “copy and customize” one of the “Global Admin Port Access xxxx” signtures:

(customize line 46)
proto_port_list: [


If you use EC2 to host memcached instead of using AWS Elasticache, and if you use custom ports, you can add the ports to the list above.

Stay safe out there. If you need help, just reach out.

The post Custom Signature Provides Protection in New Wave of DDoS Attacks appeared first on Cloud Sentry Blog.

*** This is a Security Bloggers Network syndicated blog from Cloud Sentry Blog authored by Patrick Flanders. Read the original post at: