Security Experts:

Memcached DDoS Attack 'Kill Switch' Found

Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.

The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.

Memcached is a free and open source memory caching system that can work with a large number of open connections. Memcached servers allow connections via TCP or UDP on port 11211, with access requiring no authentication, which is why the system wasn’t designed to be accessible from the Internet.

In late February, however, web protection companies warned that the protocol can be abused for DDoS amplification, after the first attacks using it started to emerge. Within days, record-setting 1.3Tbps and 1.7Tbs DDoS attacks were observed.

“The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic,” Corero explains.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

In fact, Corero claims that vulnerable Memcached servers can also be coaxed into divulging data cached from the local network or host, including confidential database records, website customer information, emails, API data, Hadoop information and more.

With no authentication required, an attacker can issue a simple debug command to retrieve the data. What’s more, the weakness can also be exploited to maliciously “modify the data and reinsert it into the cache,” the security company says.

The ‘kill switch’ that Corero has discovered would send a command back to an attacking server to suppress the DDoS exploitation. The countermeasure, the company explains, invalidates a vulnerable server’s cache, meaning that any potentially malicious payload that attackers might have planted will become useless.

The security firm claims it has tested the countermeasure quench packet on live attacking servers and that it proved fully effective, without causing collateral damage.

“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes,” Ashley Stephenson, CEO at Corero Network Security, commented.

The root cause of the problem, of course, is the poor security practices when setting up Memcached servers. Exposing them to the Internet is like leaving the front door open and expecting burglars not to barge in.

In a blog post last week, DigitalOcean pointed out that one option to mitigate attacks is “to bind Memcached to a local interface, disable UDP, and protect your server with conventional network security best practices.”

According to Victor Gevers, chairman of the GDI Foundation, upgrading or firewalling vulnerable Memcached servers on port 11211 should also prevent attacks.

Poorly secured Memcached servers don’t represent a new problem and many security experts, Gevers included, have long issued warnings in this regard. And while the problem might have been ignored until now, it becomes imperative to address it, as proof-of-concept (PoC) code for Memcached-based DDoS attacks has already been published online.

One of them, supposedly released for “educational and/or testing purposes only,” ended up on Pastebin, along with a list of around 17,000 hosts that can be abused for amplification. Another is a Python script that can leverage Shodan to scan for IPs of vulnerable Memcached servers.

Related: Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands

Related: Memcached Abused for DDoS Amplification Attacks

view counter