Memcache Servers Can Be Abused for Insanely Massive DDoS Attacks

itman · Feb 27, 2018

Crooks can abuse Memcache servers to launch insanely massive DDoS attacks using very few computational resources on their end.

These type of DDoS attacks are possible because of the unsecured way Memcache developers have implemented support for the UDP protocol in their product.

Furthermore, to make matters worse, Memcache servers also expose their UDP port to external connections in the default configuration, meaning any Memcache server not behind a firewall can be abused for DDoS attacks right now.

Memcache servers can be abused for reflection DDoS attacks

Cloudflare says it detected several DDoS attacks carried out via exposed Memcached servers in the past few days.

The company explains in a technical report that crooks send small byte-sized requests to Memcached servers on port 11211. Because the UDP protocol wasn't implemented correctly, instead of responding with a similar or smaller packet, Memcache servers respond with packets that are sometimes thousands of times bigger than the initial request.

Because it's the UDP protocol, the packet's origin IP address can be easily spoofed, meaning the attacker can trick the Memcache server into sending this oversized response packets to another IP address —the DDoS attack victim's IP.

In the DDoS community, this type of DDoS attack is named reflective DDoS or reflection DDoS. The amount of times the response packet size is amplified is the DDoS attack's "amplification actor."
Click to expand...

https://www.bleepingcomputer.com/ne...-be-abused-for-insanely-massive-ddos-attacks/

itman · Mar 1, 2018

Flurry of ultra-amplified attacks point to UDP port emanating from memcached servers

Staying ahead of threats is the raison d'être of any cybersecurity professional. An amplification attack vector that should be on the radar is UDP (User Datagram Protocol) port 11211 emanating an unusual volume of DDoS activity this week involving the memcached protocol, reported security solutions provider Cloudflare.

The firm on its website explains how it was the target of a 196-Gbps SSDP (Simple Service Discovery Protocol) attack with far greater power than usually seen in cybersecurity circles.

“Obscure amplification attacks happen all the time,” comments Cloudflare team member Marek Majkowski in a Feb. 27 blogpost, adding that the firm often sees “chargen” or “call of duty” packets of hitting its servers at 100Gbps.

What's different about this week's discovery was the greater amplification, with such force being a rare occurrence. “This new memcached UDP DDoS is definitely in this category,” writes Majkowski, who coined this attack as “Memcrashed.”
Click to expand...

https://www.scmagazine.com/flurry-o...nating-from-memcached-servers/article/747462/

reasonablePrivacy · Mar 1, 2018

www.wired.com/story/github-ddos-memcached/

On Wednesday, at about 12:15pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.
Click to expand...

githubengineering.com/ddos-incident-report/

On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack.
Click to expand...

JRViejo · Mar 1, 2018

Looks like SourceForge experienced the same issue: https://twitter.com/sfnet_ops

Currently: https://sourceforge.net/error-404.html

itman · Mar 2, 2018

We have a new record for the largest DDoS attack ever detected. The new high mark is 1.3 Tbps (Terabits-per-second).

The attack took place yesterday, targeted a software development company, and was detected and mitigated by Akamai. [UPDATE: It's GitHub.]

Attackers executed the attack using a vulnerability in Memcached servers that was made public two days ago.
Click to expand...

https://www.bleepingcomputer.com/ne...d-set-at-13-tbps-thanks-to-memcached-servers/

itman · Mar 3, 2018

Some Memcached DDoS Attackers Are Asking for a Ransom Demand in Monero

DDoS extortionists have already pounced on the Memcached DDoS attack vector in attempts to extract payments from attacked companies.

Akamai revealed earlier today that it detected DDoS attacks executed via Memcached servers that were different from others.

Instead of blasting targets with UDP packets containing random data, one group of attackers is leaving short messages inside these packets.

This one group is asking victims to pay 50 Monero —around $17,000— to a Monero address. The group doesn't say it will stop the attack but only implies it.
Click to expand...

https://www.bleepingcomputer.com/ne...ers-are-asking-for-a-ransom-demand-in-monero/

itman · Mar 5, 2018

New DDoS Record Is Now 1.7 Tbps

Four days after GitHub suffered a massive 1.3 Tbps DDoS attack, we now have a new record with a DDoS attack that clocked at 1.7 Tbps.

Detected and mitigated by Arbor Networks, this attack was aimed at a yet-to-be-identified "US service provider." Just like the DDoS attack that hit GitHub last week, this one was also carried out via Memcached servers left exposed online.
Click to expand...

https://www.bleepingcomputer.com/news/security/new-ddos-record-is-now-17-tbps/

itman · Mar 7, 2018

Things just got worse. Now all the wanna-bees can join in on the hacking:

Proof-of-Concept Code for Memcached DDoS Attacks Published Online

Proof-of-concept code to run massive DDoS attacks using unsecured Memcached servers has been published online this week, along with a ready-made list of over 17,000 IP addresses belonging to vulnerable Memcached servers.

Two, and not one, of such proof-of-concept (PoC) utilities, have been released, both uniques in their own way.

PoC #1
The first is a Python script named Memcacrashed.py that scans Shodan for IPs of vulnerable Memcached servers and allows a user to launch a DDoS attack against a desired target within seconds of running the tool.

The creator of this tool is —surprisingly— the infosec researcher behind the Spuz.me blog.

PoC #2
The second PoC was released on Pastebin on Monday. The author is unknown, and the PoC is written in C.
Click to expand...

https://www.bleepingcomputer.com/ne...-for-memcached-ddos-attacks-published-online/

ronjor · Mar 7, 2018

Memcached DDoS Attack: Kill Switch, New Details Disclosed

Dark Reading Staff 3/7/2018
Corero shares a kill switch for the Memcached vulnerability and reports the flaw is more extensive than originally believed.
Click to expand...

itman · Mar 7, 2018

Oh, yes .............

Corero researchers have discovered that any exposed Memcached server that can be leveraged for a DDoS attack can also be tricked into sharing user data it has cached from its local network or host. Because Memcached servers don't require authentication, anything added to a vulnerable server can be stolen. Attackers can also modify data and reinsert it in the cache without owners' knowledge.
Click to expand...

ronjor · Mar 8, 2018

How to stop Memcached DDoS attacks with a simple command

By James Sanders | March 8, 2018, 4:59 AM PST
The Memcached vulnerability has been used to create record-breaking distributed denial-of-service attacks, but there are a few simple kill switches available.
Click to expand...

itman · Mar 9, 2018

Memfixed Tool Helps Mitigate Memcached-Based DDoS Attacks

Security researcher Amir Khashayar Mohammadi has released today a new tool named Memfixed that can help victims of DDoS attacks carried out via Memcached servers.

The tool, written in Python, was coded around a mitigation technique put forward by a developer on the Memcached project, but also verified by DDoS mitigation firm Corero.

The mitigation technique consists of sending a "flush_all" command to a Memcached server that is attacking a victim's network, part of a larger DDoS attack.
Click to expand...

https://www.bleepingcomputer.com/ne...-helps-mitigate-memcached-based-ddos-attacks/

Log in or Sign up

Memcache Servers Can Be Abused for Insanely Massive DDoS Attacks

itman Registered Member

itman Registered Member

reasonablePrivacy Registered Member

JRViejo Super Moderator

itman Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

ronjor Global Moderator

itman Registered Member

ronjor Global Moderator

itman Registered Member

Log in or Sign up

Memcache Servers Can Be Abused for Insanely Massive DDoS Attacks

itman Registered Member

itman Registered Member

reasonablePrivacy Registered Member

JRViejo Super Moderator

itman Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

ronjor Global Moderator

itman Registered Member

ronjor Global Moderator

itman Registered Member

Useful Searches