Recently, the frequency of DDoS has reached sky-high. Thanks to the availability of Memcached servers, attackers were able to launch DDoS of ~1 terabit/s! This is HUGE and a quite big deal. Only those who are the victim can understand the situation. DDoS is generally not capable of penetrating into systems, but it can shut down a system or website for quite a long time. In business, this is a big problem. However, security researchers recently discovered tricks that can mitigate the DDoS attack damage.
The Memcached servers are the biggest benefit on hackers’ end. These servers can dramatically increase the load of DDoS, which is why we’re seeing terabit DDoS. Memcached servers allow super-fast access to loads of data to apps from other external databases into the cache memory. Apps can read and use data faster from there, speeding up the performance. It’s heavily used in business models for providing more cutting-edge performance. However, the same thing hackers are using to lauch the terabit attacks.
Why use DDoS
DDoS (Distributed Denial of Service) is one of the oldest-fashioned yet effective method of making an online service unavailable to others. This is a not DIRECT hack. Instead, it disables the feature for quite a time.
DDoS was a serious threat in the previous generation of internet. Nowadays, the tricks to trigger a DDoS attack and other requirements are quite easy to acquire. In many cases, newbie hackers try to have some fun with it. So, why it’s widely used today? It’s mainly important to note the industrial usage. For example, if Google was down for about 5 minutes, that would mean serious issue to the business. This attack can also be to redirect focus from an event to another, often to anonymize the real hacking.
This technique is quite interesting. One of the developers of Memcached servers, Dormando, proposed the workaround. According to his tweet,
For what it’s worth, if you’re getting attacked by memcached’s, it’s pretty easy to disable them since the source won’t be spoofed. They may accept “shutdown\r\n”, but also running “flush_all\r\n” in a loop will prevent amplification.
— dormando (@dormando) February 27, 2018
Unfortunately, the proposal didn’t get much attention in the first place. Corero, a network protection service, recently reported that they integrated the trick into their system and found “100% effective” in any live DDoS attack. The Corero experts also said that they didn’t notice any type of collateral damage of this technique.
Update “Memcached” servers
The main reason why Memcached servers are widely used in the recent attacks is that Memcached servers are widely used and left accessible online. The servers available for public access on port 11211. This enabled the present occurrences.
Now, an update of Memcached server software is available. The latest version (currently) is v1.5.6. The Memcached team patched the system from the vulnerability. This version disables UDP protocol (by default). The user has to manually turn it on while deploying the server. If you’re an owner of Memcached server, get the latest Memcached.
Number of open “Memcached” decreased
After the occurrence of the major DDoS attacks, security researchers and cloud service providers started taking necessary steps to protect the web from the disaster.
Although there were 107,431 Memcached servers in Shodan this morning. The population Memcached is slowly but steadily shrinking. Servers which where vulnerable this morning are now closed 8 hours later. We still have a long way to go but progress is being made. 👍 pic.twitter.com/nqAFt4BAmG
— Victor Gevers (@0xDUDE) March 7, 2018
According to this tweet, the number dropped down a lot.
Moreover, system admins also took actions to protect their servers from such misuse.
Last week there were 93,000 Memcached servers left exposed online. This week we have 105,000.
What are you doing people?!?!?!? You’re supposed to put them behind a firewall, not in front of it. 😩🔫 pic.twitter.com/YUGsFvER4n
— Catalin Cimpanu (@campuscodi) March 5, 2018
More Memcached flaw(s)
Memcached isn’t fixed yet. According to Corero, the vulnerability was more dangerous than expected as it could also allow the hacker to modify/steal information from the servers. However, Corero didn’t provide any detailed info on the flaw. They reached out to national security agencies so that they can prepare and send out the proper security alerts.
Check out if it’s possible to avoid DDoS.