Another huge Memcached-based DDoS attack launched. How to stop it

It doesn’t take cyber attackers long to pick up on an effective idea. Four days after a huge distributed denial of service (DDoS) attack on GitHub that fired record-breaking 1.3TB of data at the site leveraging misconfigured servers using the Memcached distributed caching system, a new record has been set.

DDoS mitigation provider Arbor Networks says its sensors recorded a 1.7Tbps reflection/amplification attack with the same technique against one of its unnamed U.S.-based customer’s website.
As an open source utility Memcached comes with some Linux distributions. Administrators at organizations and Internet providers who haven’t checked their servers to see if they are running misconfigured or unprotected Memcached had better do it today. Among the recommendations

–install a firewall that should provide access to Memcached servers only from the local network, says The Hacker News;

–Administrators should also consider avoiding external traffic to the ports used by Memcached (for example 11211 port used by default), and block or rate-limiting UDP (user datagram protocol) or completely disable UDP support if not in use;

–If you are using memcached, disable UDP support if you are not using it, says Cloudflare. On memcached startup you can specify --listen 127.0.0.1 to listen only to localhost and -U 0 to disable UDP completely. By default Memcached listens on INADDR_ANY and runs with UDP support ENABLED. There’s documentation here: https://github.com/memcached/memcached/wiki/ConfiguringServer#udp

Cloudlfare says it’s easy to test if a server is vulnerable by running:

$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211
STAT pid 21357
STAT uptime 41557034
STAT time 1519734962
...

If you see non-empty response (like the one above), your server is vulnerable;

–Cloudflare also urges developers to stop using UDP. If you must, don’t enable it by default.

Memcached is an open source high-performance, distributed memory object caching system originally intended for use in speeding up dynamic web applications by alleviating database load. It comes with some Linux distributions. Users reportedly include Wikipedia, WordPress, Flickr and Craigslist.  Because memcached can use UDP, which is easily spoofable, it’s ideal as a reflector for a DDoS attack, notes Akamai. And misconfigured Memcached servers can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100-megabyte response.

On March 1 Akamai, Cloudflare and others announced the discovery of the 1.3TB attack against GitHub, as well as smaller attacks against other customers. “Because of its ability to create such massive attacks, it is likely that attackers will adopt Memcached reflection as a favorite tool rapidly,” Akami accurately predicted. “Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly.”

This isn’t a newly-discovered vulnerability, Arbor Networks noted in a blog last week with recommended mitigations. A presentation at BlackHat USA in 2010 pointed out there were many insecure Memcached deployments which could be used to retrieve and possibly alter sensitive databases of Internet-facing services such as Web servers, e-commerce sites.

Separately, Cisco Systems’ Talos threat intelligence blog noted last summer that in late 2016 it discovered Memcached had some memory vulnerabilities that could be exploited by attackers. Early in 2017 it scanned the Internet and found about 107,000 Memcached servers exposed to the Internet, including 2,400 in Canada.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now