Memchached PoC Available, so is Kill Switch

Thursday, March 8, 2018 @ 04:03 PM gHale

Proof-of-concept code to leverage unsecured Memcached servers to push out record breaking DDoS attacks has been published online.

The code comes complete with a list of over 17,000 IP addresses of Memcached servers that can be used.

Experts Saw Signs of Huge DDoS Attack
NotPetya Attack Costs Mount
Safety System Attack: Plan to Wake Up Industry
Detecting Moves Leading to Attack

“Looking at indicates there are many more than just 17,000 Memcached servers that can be used for DDoS attacks,” said Ashley Stephenson, chief executive at Corero Network Security. “If the vulnerable servers on the list are utilized for attacks they can be neutralized with the kill switch by sending just 17,000 packets, one to each attacking server, neutralizing their DDoS potential until they are reloaded by the attacker which take 10,000 times longer.

Corero said the “flush-all” command can be used as a benign active defense “kill switch” by those being attacked to suppress attacks from the compromised Memcached server.”

The Memcached vulnerability led to some of the industry’s largest distributed denial-of-service (DDoS) attacks.

Corero said it disclosed the kill switch to national security agencies.

The security firm also said the issue is more extensive than originally believed.

It found an attacker exploiting the vulnerability can also steal or modify data from vulnerable Memcached servers.

Memcached is a free and open source memory caching system that can work with a large number of open connections. Memcached servers allow connections via TCP or UDP on port 11211, with access requiring no authentication, which is why the system wasn’t designed to be accessible from the Internet.

In late February, web protection companies warned the protocol can be abused for DDoS amplification, after the first attacks using it started to emerge. Within days, huge 1.3Tbps and 1.7Tbs DDoS attacks ended up discovered.

“The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic,” Corero explains.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

Leave a Reply

You must be logged in to post a comment.