Recently we informed our readers about how attackers are abusing the misconfigured Memcached servers to launch massive DDoS attacks. According to the observation of not one or two but three security firms, massive Memcached reflection distributed denial of service (DDoS) attacks are being launched with an unprecedented intensification factor of 50,000, which is the largest in DDoS attacks’ history.
The problem got worsened after someone released the proof-of-concept (PoC) exploit code for amplification of the attack, as it has made it even easier for cybercriminals to launch large-scale attacks. GitHub was amongst the first targets of attackers while an unknown American firm suffered world’s largest 1.7 Tbps of DDoS Attack.
Now, Corero Network Security has discovered that a Kill Switch can help organizations secure their websites and prevent the threat of massive DDoS attacks launched via exploiting vulnerable Memcached servers. According to researchers, the vulnerability (classified as CVE-2018-1000115) that leads to the exploitation of Memcached servers is much more extensive and dangerous than it is currently assumed.
Memcached is an open-source memory caching server that can boost responsiveness of database-driven websites by storing data in RAM, which leads to acceleration of access times. It stores a variety of data such as emails, API data, website customer data, Hadoop information and confidential database records.
Since it wasn’t developed for being accessed through the internet, therefore, users don’t need to authenticate via login and passwords and attackers are thus, able to create fake requests to amplify DDoS attacks at least 50,000 times.
As per researchers at Corero, any exposed Memcached server can be used to launch a DDoS attack as well as tricked into revealing the user data it has cached from the local host or network. Since Memcached servers don’t need authentication so anything that the server stores is accessible while attackers can easily steal, modify and reinsert altered data in the cache.
The Kill Switch
However, Kill Switch can send a command back to the attackers’ server for controlling the DDoS exploitation trend because it invalidates the vulnerable server’s cache including the malicious payload. Corero researchers have already tested it to be 100% effective on live attacking servers.
Given that still there are over 12,000 exposed Memcached servers that can be accessed, it is indeed good news that Corero researchers are able to send back attackers’ commands. It is done by using simple commands like “shutdown\r\n”, or “flush_all\r\n” in a loop to prevent amplification; the flush_all command will flush the entire content including keys and their values that are stored in the cache.
According to THN, a security researcher Amir Khashayar Mohammadi has developed and released a basic DDoS mitigation tool titled Memfixed. The tool is written in Python and sends commands to flush or shutdown the vulnerable Memcached servers.
RELEASE: Memfixed-DDoS-Mitigation tool
Thanks to @dormando for the memcached “killswitch”;
Memfixed is a tool that mitigates the attacks using Shodan to efficiently shutdown and flush vulnerable memcached servers:
— spuz.me (@SpuzNiq) March 8, 2018
Memfixed can obtain a list of exposed and vulnerable Memcached servers automatically using the Shodan API after which it initiates flush/shutdown commands. However, server administrators are urged to install the most recent version Memcached 1.5.6 that disables UDP protocol by default and prevents reflection or amplification of DDoS attacks.