Those Record Breaking Memcached Terabit DDoS Attacks? Researchers Have Just Found a “Kill Switch”
As the number and intensity of distributed denial of service (DDoS) attacks increases thanks to Memcached servers, researchers are looking into ways to mitigate against these attacks. Security firms are also scrambling to test ideas to deal with these terabit-attacks as they are expected to only get worse with time.
Corero Network Security reported that the firm has discovered a "kill switch" to counteract the Memcached vulnerability that has resulted in some of the largest DDoS attacks in history.
The proposed kill switch is actually a command that is sent back to an attacking server to stop the attack in its tracks. The victim of this attack can reportedly stop this attack by sending a "flush_all" command back to the attacking servers. The measure was first proposed by Dormando, one of the Memcached server developers.
Coreo said that the flush_all kill switch "has not been observed to cause any collateral damage." It effectively invalidates a vulnerable server’s cache, which means that any potentially malicious payload will become useless. The firm said that by clearing cache of the attacking servers of any malicious payload, they are no longer able to cause the amplification effect of the DDoS attack.
The number of Memcached servers starts to go down
Memcached that stores data in RAM to speed up access times was not designed to be accessible online. Left in their default configuration, these servers expose port 11211 that is then used by attackers to reflect and amplify DDoS attacks. Attackers can amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of traffic by generating spoof requests. With over 95,000 servers allowing connections on 11211, the potential for abuse and the possibility of more such attacks is significant.
While the above technique would help companies who cannot afford mitigation services to deal with these devastating DDoS attacks, the industry is also working to reduce the number of Memcached servers left accessible online - the primary reason behind these attacks.
"Although there were 107,431 Memcached servers in Shodan this morning. The population Memcached is slowly but steadily shrinking," security researcher Victor Gevers tweeted. "Servers which where vulnerable this morning are now closed 8 hours later. We still have a long way to go but progress is being made."
Scanning & reporting vulnerable Memcached servers costs:
Running ZMap scan for port 11211- $0
Running Nmap scan on discovered hosts - $0
Storing scans on MongoDB Atlas M0 cluster - $0
Building a dashboard with MongoDB Stitch - $0
Sending security reports with SendGrid Trial - $0 pic.twitter.com/0BcnLnCN2n
— Victor Gevers (@0xDUDE) March 8, 2018
Corero on its part said that the company has disclosed the "kill switch" to national security agencies. The firm also suggests that the attack is worse than originally believed as it can also be exploited to steal or modify data from vulnerable Memcached servers. The firm claims that vulnerable Memcached servers can be forced into divulging data cached from the local network or host, including database records, website customer information, emails, API data, and more.
“The ‘flush_all' command has always been available in memcached,” Corero CEO Ashley Stephenson said. "What Corero discovered was the possibility of using to defeat this DDoS exploit."
This isn't, however, a solution to the DDoS amplification or data exfiltration threat as the only way to get out of this mess is to secure the Memcached servers. "However, with over 95,000 of these servers currently exposed on the Internet," the company said it's expecting to see these "amplification attacks for many months to come."