Memcached DDoS attack ‘kill switch’ discovered
- Published: Friday, 09 March 2018 09:57
Corero Network Security has disclosed the existence of a practical ‘kill switch’ countermeasure for the Memcached vulnerability, responsible for some of the largest DDoS attacks ever recorded. At the same time, the company has warned that the vulnerability is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable Memcached servers.
Memcached is an open source memory caching system that stores data in RAM to speed up access times. It was not originally designed to be accessible from the Internet, as access does not require authentication. The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic. In the last week, these massive attacks have overwhelmed specific targets such as GitHub, and flooded service providers to degrade service availability.
Ashley Stephenson, CEO at Corero Network Security, explains: “Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.”
Any Memcached server that can be forced into participating in a DDoS attack towards the Internet can also be coaxed into divulging user data that it has cached from its local network or host. This may include confidential database records, website customer information, emails, API data, Hadoop information and more.
The Memcached protocol was designed to be used without logins or passwords, meaning that anything you add to a vulnerable Memcached server can be stolen by anyone on the Internet, without a login, password or audit trail. By using a simple debug command, hackers can reveal the ‘keys’ to your data and retrieve the owner’s data from the other side of the world. Additionally, it is also possible to maliciously modify the data and reinsert it into the cache without the knowledge of the Memcached owner.
Despite repeated warnings by the Memcached developer community and large IT vendors about security risks, default configurations for some of the latest operating systems and cloud computer services still allow ubiquitous access to the Memcached service and customers’ private data.
Ashley Stephenson explains: “While this blatant lapse of security is relatively clear to the accomplished security practitioner or hacker, it is not known to the increasingly business-oriented, non-technical user who is clicking a button to set up a new server in the cloud. There are dozens of US-CERT CVE and obscure security warnings related to Memcached but few of them address the clearly obvious issue of leaving the front door open on the internet for anyone to come in and take your data.”
The kill switch
This week, Corero discovered an effective kill switch to the Memcached vulnerability that sends a command back to an attacking server to suppress the current DDoS exploitation. The ‘flush_all’ countermeasure has been disclosed to national security agencies for action. It invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers.
The countermeasure quench packet has been tested on live attacking servers and appears to be 100 percent effective. It has not been observed to cause any collateral damage.