It shouldn’t have happened because it shouldn’t have been possible.
Supposedly everybody using Memcached servers knows they were never intended to be exposed to the public internet, since anyone can query them and they will politely respond, no authentication required.
As Steven J. Vaughan-Nichols put it on ZDNet, “All too often, incompetent system administrators (sysadmins) have exposed memcached-enabled servers to the internet. Memcached was never, ever meant to be available over the public internet. It has no authentication, so it’s easy to abuse.”
Or as Sammy Migues, senior member, technical, in the Synopsys Software Integrity Group, put it, “If you still think you must have your Memcached server exposed to the internet, you’re still wrong.”
And as Akamai, which provides a DDoS mitigation service called Prolexic, noted in a blog post this past week, when an attacker can spoof IP addresses of UDP traffic, “the protocol can be easily abused as a reflector when it is exposed to the Internet.”
By how much? “It is possible that an attacker could purposely place a 1MB value in the data store, and using a spoofed UDP packet request that single 1MB value hundreds of times per request,” Akamai said.
“This would result in a massive amplification factor where a 203 byte request results in 100MB response of reflected traffic, per request. It doesn’t take much imagination to see how this could be and is being abused.”