Skip to main content

Amplification Chamber: Dissecting the Attack Infrastructure of Memcached DRDoS Attacks

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2022)

Abstract

Distributed and reflective denial-of-service (DRDoS) attacks have been one of the most devastating and harmful threats on the Internet. By abusing open Internet services such as DNS and NTP, attackers can boost traffics without revealing their IP addresses. In the case of Memcached DRDoS attacks, adversaries often set large caches on amplifiers using TCP requests before launching the attack, which gives us hints on the IP addresses of the attack infrastructure. In this paper, we trace back the anonymous attack to their origins and investigate their attack infrastructure. During the 15 months of monitoring (September 2018 to November 2019) via eleven honeypots, we observed 820,729 Memcached DRDoS attacks. Out of them, 370,795 attacks were associated with TCP set requests, and 127,771 attacks were associated with UDP set requests. We found 199 unique IP addresses in 54 ASes used to set the large caches for these attacks and that attackers keep using the same large caches or even borrow the cache set by someone else. This implies a relatively small number of threat actors compared to the vast number of attacks. In the case of hotspots where setters are concentrated, the attack infrastructures had functionalities such as scanners to find amplifiers, setters to prepare the attacks, and launchers to generate the DDoS traffic. By conducting a TTL-based trilateration analysis, we found that 7,407 attacks originated from the setters, indicating 16.6% of the setters also worked as launchers.

Finally, we confirmed that there were still over 15,000 amplifiers in the wild scattering over 1,000 ASes. This result suggests that the threats of Memcached DRDoS attacks will continue to exist, and our analysis of the attack infrastructures could provide helpful information to take practical actions such as takedowns. We have provided the obtained results on the attack infrastructures to our national CERT.

M. Kondo and N. Shintani—This work was done while researching at the University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The term amplification factor stands for the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [10].

References

  1. Amppot: Honeypot for monitoring amplification ddos attacks | datasets. https://sec.ynu.codes/dos/datasets

  2. Censys. https://censys.io/

  3. Cve-2018-1000115 detail. https://nvd.nist.gov/vuln/detail/cve-2018-1000115

  4. Memcached–a distributed memory object caching system. https://memcached.org/

  5. Ripe atlas. https://atlas.ripe.net

  6. Akamai SIRT Alerts. Memcached-fueled 1.3 tbps attacks. https://securityboulevard.com/2018/03/memcached-fueled-1-3-tbps-attacks/

  7. Büscher, A., Holz, T.: Tracking DDoS attacks: insights into the business of disrupting the web. In: Proceedings of the 5th USENIX LEET, LEET 2012 (2012)

    Google Scholar 

  8. Welzel, A., Rossow, C., Bos, H.: On measuring the impact of DDoS botnets. In: Proceedings of the 7th European Workshop on Systems Security, EuroSec 2014 (2014)

    Google Scholar 

  9. Collier, B., Thomas, D.R., Clayton, R., Hutchings, A.: Booting the booters: evaluating the effects of police interventions in the market for denial-of-service attacks. In: Proceedings of the 2019 Internet Measurement Conference, IMC 2019 (2019)

    Google Scholar 

  10. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security Symposium, NDSS 2014 (2014)

    Google Scholar 

  11. Kopp, D., Dietzel, C., Hohlfeld, O.: DDoS never dies? An IXP perspective on DDoS amplification attacks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 284–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_17

    Chapter  Google Scholar 

  12. Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. 34(2), 39–53 (2004)

    Article  Google Scholar 

  13. Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet denial of service: attack and defense mechanisms. In: Perlman, R. (ed.) Computer Networking and Security Book Series (2004)

    Google Scholar 

  14. Krupp, J., Backes, M., Rossow, C.: Identifying the scanners and attack infrastructure behind amplification DDoS attacks. In: Proceedings of the 23rd ACM Conference on Computer and Communications Security, CCS 2016 (2016)

    Google Scholar 

  15. Santanna, J.J., De Schmidt, R.O., Tuncer, D., De Vries, J., Granville, L.Z., Pras, A.: Booter blacklist: unveiling DDoS-for-hire websites. In: Proceedings of the 2016 12th International Conference on Network and Service Management, CNSM 2016 (2016)

    Google Scholar 

  16. Santanna, J.J., Durban, R., Sperotto, A., Pras, A.: Inside booters: an analysis on operational database. In: Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2015 (2015)

    Google Scholar 

  17. Bai, K.: Analysis and prevention of Memcache UDP reflection amplification attack. Int. J. Sci. 5(3), 297–302 (2018)

    Google Scholar 

  18. Kramer, L., et al.: Amppot: honeypot for monitoring amplification DDoS attack. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2015 (2015)

    Google Scholar 

  19. Singh, K., Singh, A.: Memcached DDoS exploits: operations, vulnerabilities, preventions and mitigations. In: Proceedings of the 2018 IEEE 3rd International Conference on Computing, Communication and Security, ICCCS 2018 (2018)

    Google Scholar 

  20. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attack. In: Proceedings of the 23rd USENIX Security Symposium, USENIX 2014 (2014)

    Google Scholar 

  21. Jonker, M., Pras, A., Dainotti, A., Sperotto, A.: A first joint look at DoS attacks and BGP blackholing in the wild. In: Proceedings of the 2018 Internet Measurement Conference, IMC 2018 (2018)

    Google Scholar 

  22. MaxMind: GeoIP2 database. https://www.maxmind.com/

  23. Karami, M., McCoy, D.: Understanding the emerging threat of DDoS-as-a-service. In: Presented as part of the 6th USENIX Work- shop on Large-Scale Exploits and Emergent Threats (2013)

    Google Scholar 

  24. Morales, C.: 1 Terabit DDoS attacks become a reality; reflecting on five years of reflections. https://www.netscout.com/blog/asert/1-terabit-ddos-attacks-become-reality-reflecting-five-years

  25. Morales, C.: Netscout arbor confirms 1.7 Tbps DDoS attack; the terabit attack era is upon us. https://www.netscout.com/blog/asert/netscout-arbor-confirms-17-tbps-ddos-attack-terabit-attack-era

  26. Nivedita, M., et al.: Memcached: an experimental study of DDoS attacks for the wellbeing of IoT applications. Sensors (Basel) 21(23), 8071 (2021)

    Article  Google Scholar 

  27. Nishtala, R., et al.: Scaling Memcache at Facebook. In: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2013 (2013)

    Google Scholar 

  28. Kumar, S.: Smurf-based distributed denial of service (DDoS) attack amplification. In: Proceedings of the of the Second International Conference on Internet Monitoring and Protection (ICIMP 2007) (2007)

    Google Scholar 

  29. Farsight Security: Dnsdb. https://www.dnsdb.info/

  30. Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., Feldmann, A., Berger, A.: Inferring BGP blackholing activity in the internet. In: Proceedings of the 2017 Internet Measurement Conference, IMC 2017 (2017)

    Google Scholar 

  31. Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. 31(3), 38–47 (2001)

    Article  Google Scholar 

  32. Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: Proceedings of the of the 23rd USENIX Security Symposium, USENIX 2014 (2014)

    Google Scholar 

Download references

Acknowledgements

A part of this research was conducted in “WarpDrive: Web-based Attack Response with Practical and Deployable Research Initiative” project, supported by the National Institute of Information and Communications Technology, Japan. A part of this research was conducted in “MITIGATE” project among “Research and Development for Expansion of Radio Wave Resources (JPJ000254)”, supported by the Ministry of Internal Affairs and Communications, Japan. A part of this research was supported by JSPS KAKENHI Grant Numbers 21H03444.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Rui Tanabe .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kondo, M., Tanabe, R., Shintani, N., Makita, D., Yoshioka, K., Matsumoto, T. (2022). Amplification Chamber: Dissecting the Attack Infrastructure of Memcached DRDoS Attacks. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-09484-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-09483-5

  • Online ISBN: 978-3-031-09484-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics