Note! Exploit to taking over of Memcached servers is available

On February 28, 2018 year we witnessed the largest so far DDoS attack on the portal for a giant bandwidth 1.35 terabit per second. A day later the record was beaten about 400.000 megabits and slightly exceed 1.7 terabit per second, where this time the access to the service refused to grant one of the Web pages located on the network of the company Arbor Networks in the United States.

So far, the two biggest reported DDoS attacks (. Distributed Denial of Service) have a common denominator. It was incorrectly set up Memcached, used to accelerate the loading of some resources for example. dynamic content from databases, records or even whole pages (HTML documents) for a very large portals, such as Facebook, Twitter, Reddit, YouTube, Onet, virtual Poland and others. In both of these spectacular attacks, it turned out that Memcached was available "from the outside", which allowed an attacker to send to the Web server over UDP packet 50.000 GitHub portal, using a fake IP address (the so called IP spoofing). More than 50.000 times — until it exceeded the capabilities of the "fusion" Web Server portal GitHub in each second. Thanks to the vast number of "acquired" Memcached attackers managed to temporarily run out of bandwidth which have portal, causing the unavailability of the website, as well as — which is likely — gave this opportunity to test such a large botnet. The attack also used a very high amplification (about 51.000), this means that the attacker by sending 10 bytes of data to the vulnerable services, generate 500 Kb data stream, which struck the victim.

Cloudflare estimates that in the DDoS attack on GitHub can participate from a few thousand to tens of thousands of machines with unique IP addresses:

DDoS na Github

Memcrashed is a tool to DDoS attacks for the script-kiddie

Now we all have reason for concern, because the published solution, including exploit to carry out DDoS attacks on the Memcached servers.

The application Memcrashed was written in Python and uses the API of the popular search engine Shodan. It is possible to "scan" the available hosts on the Internet linked with Memcached for open UDP port/11211, on which the service listens. According to hosts from issued port 11211 "into the world" is currently approximately 130.000, so application potential is huge. The effects of the attack again could be devastating for many a business — or be the perfect advertisement for a company that effectively repels the attack. And with such big attacks "wysycającymi" Internet deal can only the largest operators.

Mcrashed narzędzie to ataków na serwery Memcached

Memcrashed - ciąg dalszy Memcached

Fortunately, there is light at the end of the tunnel.

Memfixed as "kill-switch (circuit breaker) Memcached

Switch in the strict sense. The application Memfixed works on the same principle as Memcrashed. Also was written in Pytonie and in the same way it uses API search engine Shodan. Author of the program did not wait until the administrators will take to update servers (which can take for months). Wrote their own software excluding Memcached servers that are vulnerable to takeover. The community of Internet users may be in a way of saying thank you, because someone who decides to "press", disable the vulnerable to acquisition of servers and reduce the number of devices in the future falling to the botnet. This can positively affect the security, because the potential attacks are characterized by a lower intensity, but at the expense of the owners of Memcached.

The author of the tool points out that his way of "zkillowanie" servers is somehow the same unethical as attacking applications, online services, or websites with the use of Memcrashed. In any event, for what purposes do not use Memcrashed (except scientific, of course), it will be illegal.

Memfixed wyłącznik serwerów Memcached

We expect more DDoS attacks

With Memcrashed in the coming months, we expect more DDoS attacks. The script after you modify will carry out mass attacks on other services running on different ports, which are exposed to the world. What's more, the use of search engines to find the host susceptible Shodan multiplying the potential number of machines involved in the attacks.

Administrators can check the susceptibility of Memcached nmap'em:

$ nmap TARGET-p 11211-sU-sS-memcached-info script

Starting Nmap 7.30 ( at 2018-02-27 12:44 UTC
Nmap scan report for xxxx
Host is up (0.011 s latency).
11211/tcp open          memcache

| memcached-info:
|   Process ID           21357
|   Uptime               41557524 seconds
|   Server time          2018-02-27T12:44:12
|   Architecture,         64 bit
|   Used CPU (user)      36235.480390
|   Used CPU (system)    285883.194512
|   Current connections  11
|   Total connections    107986559
|   Maximum connections  1024
|   Tcp Port             11211
|   UDP Port             11211
| _  Authentication       no

11211/udp open | filtered memcache

To correct the security firewall must be installed Memcached, which should limit access to only to traffic within the local network. In other cases, it is recommended that even completely disable UDP support.

Comment on DDoS attacks, we asked Radosław Wesolowski, CEO of the Grey Wizard, specializing in the protection of Web pages by preventing network attacks, output volume and application:

Unfortunately for a long time we are seeing new records the size of the attacks. In the year 2016 620 Gbs generated botnet Mirai (malware) the same botnet was also responsible for the attacks on the company OVH (it is estimated that this was the value of 1Tbs). In February of this year we have to deal with new records respectively 1.3 and 1.7 Tbps. All these attacks have one common denominator-take advantage of vulnerabilities in the software or hardware, and to generate a stream of data about such large values needed are large botnets. The situation is aggravated by the fact the use of weaknesses of the UDP communication protocol that allows for spoofing, or falsifying the sender and receiver of messages. The largest attacks use also the amplification mechanisms, that is, the reproduction query response. In most cases, the criminals to create a botnet use simple vulnerability eg. the fact that the producers of Web cameras, or routers, set by default, known for "admin/admin" (a botnet Mirai), or provide services, that should never be public (Memcached).

Since the publication of the information about the attack using Memcached, we are seeing increased attacks on our customers. These attacks have historically large values, which are rarely seen in Poland.

The problem is not simple to solve. Worse, criminals all the time looking for new attack vectors and infect machines. DDoS attacks are still the most common threat to Web applications. It is very difficult to reach the perpetrators and punish them. The only effective defense is to use specialized services for the cleaning of the movement.

More basic information about DDoS attacks contains the following infographic and information prepared by the operator of OVH.

Czym jest atak DDoS

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.