Security

How to stop Memcached DDoS attacks with a simple command

The Memcached vulnerability has been used to create record-breaking distributed denial-of-service attacks, but there are a few simple kill switches available.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The Memcached vulnerability has been used in record-breaking DDoS attacks against GitHub and an unnamed US service provider.
  • Various proof-of-concept scripts have been released to exploit the vulnerability.

Hackers have recently been exploiting a vulnerability in the Memcached protocol that gives them the ability to create record-breaking amplification attacks, a type of distributed denial-of-service (DDoS). These attacks are trivial to implement, as a botnet of computers is not needed in order to generate amounts of traffic necessary to paralyze a given system or network.

Proof-of-concept code that can be easily adapted for use in attacks has been published by various researchers. Among them is the Python script "Memcrashed.py" which integrates with the Shodan search engine to find vulnerable servers from which you can launch an attack. An alternative version in C that uses a static list of vulnerable servers was uploaded to Pastebin, and a third proof-of-concept was tweeted by @ens.

SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)

For systems being targeted by UDP attacks, a tweet by Memcached developer @dormando was seemingly overlooked in the press prior to a press release by the security firm Corero. Because the vulnerable Memcached server IP is not spoofed, according to dormando, it is "pretty easy to disable them" by sending the command "shutdown\r\n" or "running 'flush_all\r\n' in a loop will prevent amplification." A statement from Corero vouches for the efficacy of this method, and claims it "has not been observed to cause any collateral damage."

This vulnerability was patched in Memcached 1.5.6, which disables the vulnerable UDP version of the protocol by default. Marek Majkowski, a researcher at CloudFlare who wrote the original report of the vulnerability was somewhat bewildered by the existence of a UDP-facing protocol in Memcached. Depending on your view, UDP support is either the result of code cruft or legacy support. The release notes for 1.5.6 indicate that "12 years ago, the UDP version of the protocol had more widespread use: TCP overhead could be very high. In the last few years, I've not heard of anyone using UDP anymore. Proxies and special clients allow connection reuse, which lowers the overhead."

For unpatched versions, disabling UDP protocol support will prevent servers running Memcached from being used in amplification attacks. A report from Rapid7 indicates that the number of detectable unique, unprotected UDP endpoints has shrunk from "almost 18,000" on March 1st, to "under 12,000" as of March 5th.

In common practice, Memcached is used to increase the performance of websites which utilize databases to store content. This is accomplished by storing frequently accessed content in RAM, reducing the number of database queries needed to generate a web page. The Memcached vulnerability has been leveraged in a 1.35 Tbps DDoS attack against GitHub, and a 1.7 Tbps DDoS attack against an unnamed US service provider, both of which were record-setting highs for attacks when they were first reported.

This vulnerability has been assigned the identifier CVE-2018-1000115.

Also see

security.jpg
Image: iStockphoto/Natali_Mis

About James Sanders

James Sanders is a technology writer for TechRepublic. He covers future technology, including quantum computing, AI, and 5G, in addition to security, cloud computing, open source, mobile and satellite communications, and the impact of globalization o...

Editor's Picks

Free Newsletters, In your Inbox