Corero Network discovered a Kill Switch for Memcached DDoS attacks

Corero network security discovers a “kill switch” for memcached DDoS attacks and also reveals memcached exploit can be used to steal or corrupt data

Memcached DDoS attacks made the headlines due to the magnitude observed in recent offensives. While two PoC exploits for Memcached DDoS attacks have been released online, experts at security firm Corero Network announced they have discovered a ‘kill switch’ to address the Memcached vulnerability.

The firm revealed that the exploitation of the issue in Memcached servers could also allow attackers to modify or steal data from (i.e. including confidential database records, website customer information, emails, API data, Hadoop information and more.).

The most interesting discovery made by the researchers is the kill switch, the company reported it to national security agencies.

We first read about memcached DDoS attacks when on February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

Arbor Networks reported that earlier this month a US service provider suffered a 1.7 Tbps memcached DDoS attack.

“Corero Network Security has today disclosed the existence of a practical “kill switch” countermeasure for the Memcached vulnerability, responsible for some of the largest DDoS attacks ever recorded, to national security agencies.” reads the announcement published by Corero Network Security.

“At the same time, the company has revealed that the vulnerability is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable Memcached servers.”

According to the experts, there are currently over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the internet, an army of machines that could be involved in memcached DDoS attacks.

“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes.” said Ashley Stephenson.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

Corero researchers pointed out that the Memcached protocol was designed to be used without logins or passwords, the attacker can trigger the vulnerability to “modify the data and reinsert it into the cache.”

The “flush_all” countermeasure invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers, it is effective in any attack scenario.

The ‘kill switch’ discovered by Corero would allow sending a command back to an attacking server to halt the DDoS attack, no side effects have been observed.

“This week, Corero discovered an effective ‘kill switch’ to the Memcached vulnerability that sends a command back to an attacking server to suppress the current DDoS exploitation.” continues the Corero.

“The “flush_all” countermeasure has been disclosed to national security agencies for action. It invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers. The countermeasure quench packet has been tested on live attacking servers and appears to be 100% effective. It has not been observed to cause any collateral damage.”

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

The popular expert Victor Gevers, chairman of the GDI Foundation, highlighted that firewalling flawed Memcached servers on port 11211 should repel the attacks.