In this lecture, we'll be talking about the memcached DDoS attack, which is the cause of one of the biggest DDoS attacks of all time, will you voice. Now let's shortly define what memcached is, in case you haven't heard of it. It's a database caching system for speeding up the websites and networks. But instead of using traditional hard drives, memcached uses the ram random access memory. In other words, it works much faster than a regular caching system, because it uses the memory of the server, not the hard disk. As part of the protocol, when a server sees a memcached GET request, it collects the requested values from memory to form a response.

It does sends over the internet in an uninterrupted stream of multiple UDP packets. So basically, once the request comes in, it just sends it out as multiple UDP packets Each with a length of up to 1400 bytes. Up until now everything is fine. But the problem is it has no authentication. So it's easy to abuse. And how it is abused is basically the attacker can insert his request to open memcached server.

By default, memcached uses a limit of one megabyte per stored value. But an attacker can insert even larger volumes since any user can configure it. So here as we can see, lack of authentication. Long story short, any user can abuse the memcached protocol. And this is the basis of the attack. Now memcached is a quite popular way of catching since it's quite fast.

It's used by most of the social media platforms like Facebook, and Twitter. As a result, there are so many servers probably around 100 Thousand servers with this vulnerability. And therefore, the attack volume is huge hundreds of gigabytes or terabytes per second. Therefore, it's almost impossible to withstand without the CDN solution. We will be talking about CDs at the end of the course. But for now, you can consider it as a paid service to protect your environment.

Since there is almost no server, which can withstand such a big attack, without basically help. And that's what makes memcached is a special type of DDoS attack. You have basically no way to protect yourself by yourself. You cannot protect yourself as I just said, but you can at least in case you have a memcached server, prevent your server from being abused in an attack to other people. And the way to do that is actually quite simple. You need to configure the mem cache configuration file with it.

Text Editor. And first you need to find the M parameter, change the value to one gigabyte, then the URL parameter changes for you to localhost or to this value. And then you basically need to save the changes and restart to memcached server and what else you can do in order to prevent your memcached server from being abused. Disable UDP support. If you're not using it. Make sure firewall is in place, especially on port 11211, which is the port that memcached uses.

Prevent IP spoofing. Just double check if the source IP is spoofed or not. And most importantly, remember the amplification factor in the settings since it will reduce the effect of the attack even if your memcached server is being abused. Thanks to this at least it will not generate the large traffic that the attacker wants