Cybercriminals often use Distributed Denial of Service (DDoS) attacks against websites and network resources. DDoS attacks typically use malware placed on thousands of computers to flood a targeted network resource with many connection requests or malformed packets.
A new type of DDoS attack has just been exposed which uses the memory caching tool Memcached to dramatically increase the extent of the attack. This is a very dangerous form of DDoS attack that could potentially affect millions of computer networks.
What is Memcached?
Memcached is an open source distributed memory object caching system. It is used by servers to save small amounts of data to RAM, so that data can be returned to clients very quickly. Memcached is often used to speed up dynamic database-driven websites and relieve database load.
Worldwide, millions of servers have Memcached installed. Some of the largest websites in the world use it, including Reddit, Facebook, YouTube and Twitter.
How does this new attack work?
This attack uses unprotected Memcached servers to amplify DDoS attacks, making them up to 51,200 times more powerful. It is similar to other amplification attacks, with hackers sending a request from a spoofed IP address to the vulnerable server, in order to retrieve a much larger response.
This large response can be up to 51,200 times larger than the original request. When it is redirected to a spoofed IP address, it acts like a denial of service attack, flooding the network resource or website with data.
This attack was first reported by Akamai, Arbor Networks and Cloudflare on Tuesday the 27th of February 2018. All three companies noticed a significant increase in the number of DDoS attacks using User Datagram Protocol (UDP) amplified by Memcached servers. Cloudflare dubbed the attack Memcrashed.
Cloudflare found that 15 bytes of request data triggered a 134KB response — an amplification factor of 10,000x. In practice, they found that a 15-byte request could result in a 750kB response (51,200x amplification).
Currently, most of the affected servers are hosted with Sakura, OVH, Digital Ocean, and some small hosting providers. Network monitoring firm Shodan has already found 88,000 open Memcached servers which are vulnerable to this attack.
In the days after the exploit was released, Cloudflare saw as much as 260Gbps of inbound UDP traffic coming from Memcached installations. The massive increase in the size of DoS attacks provided by this amplification technique makes it very powerful.
An amplification attack is different to a reflection attack, which is often used during DDoS attacks. A reflection attack forges a victim’s IP address to make it seem like they are sending requests to a number of machines. Those machines will all respond with data, resulting in an overwhelming number of responses that cause the network resource to crash. Many DDoS attacks also use publicly available DNS servers to flood victims with responses. It is somewhat unusual for an amplification attack to be utilised as part of a DDoS attack.
Two different DDoS tools have already been released using this exploit. One is written in the C programming language and comes with a pre-compiled list of 17,000 vulnerable servers. The other is written in Python and uses the Shodan API to obtain lists of vulnerable Memcached servers. It can find a fresh list of servers before sending UDP packets to all available servers.
The attacks we have seen in March are much larger than the initial DDoS attacks. A 1.35 Tbps attack hit Github this month and an unnamed U.S. company received a 1.7 Tbps attack. Following these recent attacks, some Akamai customers reported receiving extortion messages demanding USD$15,000 of cryptocurrency to stop attacking their servers.
Security firm Corero claims that this vulnerability can even be used to coax sensitive data from Memcached servers. This includes customer information, confidential database records, emails, API data, and much more.
Corero says that an attacker can run a debug command to retrieve information from Memcached without authentication. This may allow attackers to modify data before reinserting it within the cache — which could create many more types of vulnerabilities within a server.
This is the first time that Memcached has been used to perform this kind of attack. However, reflection/amplification attacks have exploited many other protocols in the past, including DNS, SNMP, SSDP, and NTP.
Memcached DDoS Attack ‘Kill Switch’ Found
Fortunately, multiple solutions for this exploit have already been found. The simplest solution is to firewall, block or rate limit UDP requests being sent on port 11211 (the default UDP port for Memcached). Administrators can even disable UDP support on Memcached if they do not require it. Binding Memcached to a local interface is also effective.
Security firm Corero Network Security says they have identified a kill switch that closes the Memcached vulnerability permanently. Their kill switch sends a command back to the attacking server to suppress the DDoS attack. It also invalidates the Memcached service’s cache, so any malicious payload that has been inserted into Memcached is automatically deleted.
The company claims they have tested the kill switch on live attack servers and it was fully effective. Corero says that the problem is a result of poor security practices on servers with Memcached installed. Memcached should not be exposed to the Internet in a way that can be exploited by cybercriminals. Corero is expected to release their kill switch in the coming weeks.
Thanks for reading Memcached DDoS Exploit Threatening a Large Number of Servers. Please subscribe to our website for more cybersecurity news.