Coolhousing data center has detected through the flowmon probes (netflow) a vulnerability of memcache, which can lead to DDoS attacks from various internal and external source addresses, usually from the USA, China and Russia, with UDP source port 11211.
This offensive behavior has also been detected by other network operators, and extensive information exchange within CSIRT teams is taking place to avoid of service outage across the Internet.
These attacks are caused by an unsecured memcache server, that is listening on UDP port 11211. The attacker will take advantage of this misconfigured server setup or better for amplification attack on another internet subject. Thus, the goal of the attack is not always the server with an incorrect memcache setting, which becomes “only” a part of the botnet, but somebody completely else.
Similar misuse of incorrect server configuration has been repeated many times in the past, such as DNS (TCP port 53), NTP (UDP port 123), and more.
More information about this attack.
Coolhousing data center CSIRT Team would like to ask for checking out all server settings, particularly memcatch settings and communication on/via UPD port 11211, all servers administrators, not only Coolhousing datacenter clients. Your control will contribute to safety and better Internet.
Thank you very much.
CSIRT Coolhousing
