Site icon IT World Canada

Another huge Memcached-based DDoS attack launched. How to stop it

DDoS Attack Brick Wall

Image from Shutterstock.com

It doesn’t take cyber attackers long to pick up on an effective idea. Four days after a huge distributed denial of service (DDoS) attack on GitHub that fired record-breaking 1.3TB of data at the site leveraging misconfigured servers using the Memcached distributed caching system, a new record has been set.

DDoS mitigation provider Arbor Networks says its sensors recorded a 1.7Tbps reflection/amplification attack with the same technique against one of its unnamed U.S.-based customer’s website.
As an open source utility Memcached comes with some Linux distributions. Administrators at organizations and Internet providers who haven’t checked their servers to see if they are running misconfigured or unprotected Memcached had better do it today. Among the recommendations

–install a firewall that should provide access to Memcached servers only from the local network, says The Hacker News;

–Administrators should also consider avoiding external traffic to the ports used by Memcached (for example 11211 port used by default), and block or rate-limiting UDP (user datagram protocol) or completely disable UDP support if not in use;

–If you are using memcached, disable UDP support if you are not using it, says Cloudflare. On memcached startup you can specify --listen 127.0.0.1 to listen only to localhost and -U 0 to disable UDP completely. By default Memcached listens on INADDR_ANY and runs with UDP support ENABLED. There’s documentation here: https://github.com/memcached/memcached/wiki/ConfiguringServer#udp

Cloudlfare says it’s easy to test if a server is vulnerable by running:

$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211
STAT pid 21357
STAT uptime 41557034
STAT time 1519734962
...

If you see non-empty response (like the one above), your server is vulnerable;

–Cloudflare also urges developers to stop using UDP. If you must, don’t enable it by default.

Memcached is an open source high-performance, distributed memory object caching system originally intended for use in speeding up dynamic web applications by alleviating database load. It comes with some Linux distributions. Users reportedly include Wikipedia, WordPress, Flickr and Craigslist.  Because memcached can use UDP, which is easily spoofable, it’s ideal as a reflector for a DDoS attack, notes Akamai. And misconfigured Memcached servers can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100-megabyte response.

On March 1 Akamai, Cloudflare and others announced the discovery of the 1.3TB attack against GitHub, as well as smaller attacks against other customers. “Because of its ability to create such massive attacks, it is likely that attackers will adopt Memcached reflection as a favorite tool rapidly,” Akami accurately predicted. “Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly.”

This isn’t a newly-discovered vulnerability, Arbor Networks noted in a blog last week with recommended mitigations. A presentation at BlackHat USA in 2010 pointed out there were many insecure Memcached deployments which could be used to retrieve and possibly alter sensitive databases of Internet-facing services such as Web servers, e-commerce sites.

Separately, Cisco Systems’ Talos threat intelligence blog noted last summer that in late 2016 it discovered Memcached had some memory vulnerabilities that could be exploited by attackers. Early in 2017 it scanned the Internet and found about 107,000 Memcached servers exposed to the Internet, including 2,400 in Canada.

Exit mobile version