A flaw in the implementation of the UDP protocol for Memcached servers can allow anyone to launch a massive Distributed Denial of Service (DDoS) attack with little effort.\nThe problem was first discovered by the 0kee Team from China, which published a paper about it (pdf). This past week, security researchers at content delivery network (CDN) specialist Cloudflare also wrote about the issue. And CDN specialist Akamai and security provider Arbor Networks recently published their findings.\n\nMemcached is a Web-based massive memory cache for database-driven sites, such as websites, that caches the most frequently retrieved data and keeps it in memory rather than getting it from the hard disk over and over again. It is a combination of open-source software and standard server hardware that consists of memory, memory, and more memory.\nWhat researchers found is Memcached developers have implemented support for the UDP protocol in an unsecure way. Cloudflare said it detected several DDoS attacks carried out via exposed Memcached servers in the past few days, which is what led to the discovery.\n\u201cOver last couple of days, we've seen a big increase in an obscure amplification attack vector \u2014 using the memcached protocol, coming from UDP port 11211,\u201d the company wrote in a blog post.\nPoorly implemented UDP puts exposed Memcached servers at risk for DDoS attack\u00a0\nCloudfare said because UDP wasn't implemented properly, hackers can send a tiny, byte-sized request to an exposed Memcached server, and instead of responding with a response of similar size, it responded with packets that are sometimes thousands of times bigger than the initial request.\nA carefully prepared technique allows an attacker with limited IP spoofing capacity, such as 1Gbps, to launch very large attacks reaching hundreds of gigabits per second, Cloudflare reported. The company cited one recent DDoS attack launched against its network where attackers sent 15-byte packets and Memcached servers responded with 750KB packets.\nBecause it's the UDP protocol, which does not require a source address in its headers, the packet's original IP address can be easily spoofed. So an attacker can trick the Memcached server into sending oversized response packets to another IP address, the hapless target.\nMemcached servers also expose their UDP port to external connections in the default configuration, meaning any Memcached server not behind a firewall can be abused for a DDoS attacks right now.\nThe fix is fairly easy, and Cloudflare spells it out in their report. Memcached server users should disable their UDP port immediately and place these servers on private networks behind firewalls.