It is less than 2 weeks since the “Memcached” reflection/amplification vulnerability became widely known. Since then DDoS attackers started exploiting unprotected Memcached servers to launch massive denial-of-service attacks against target organizations.
The record for the largest DDoS attack ever reported has been broken twice in the last week. The bar was raised from ~800Gbps (DYN in October 2016) to 1.34Tbps (GitHub) and upwards to 1.7Tbps (undisclosed US Service Provider). These attacks have understandably been the focus of mainstream news headlines. At Corero, we’ve also seen a surge in in these larger DDoS attacks; all of them have been amplified by the Memcached vector.
Last week, our Corero SecureWatch® Analytics Team released a Threat Advisory after seeing a steady ramp in reflective Memcached attacks (Reflective UDP on port 11211). This exploit uses a reflective method in which the attacker makes a spoofed request (where the source IP address is that of the intended victim) to a Memcached server, which then replies to the victim with a large response. Amplification factors of 50,000 times are believed to be possible using this exploit.
Corero’s advisory coincided with delivering “zero day” protection to SmartWall® customers which detects and mitigates these attacks in less than 2 seconds. In contrast, the GitHub attack reportedly took around 10 minutes to mitigate. Undoubtedly, this meant that GitHub’s service was disrupted risking reputational damage.
Corero has gone a significant step further. Today, we announced that we’ve identified an “active defense” countermeasure which neutralizes the problem. In more emotive terms, we have found and implemented the “kill switch” for Memcached. Whilst this countermeasure causes no discernable impact to the unwitting participant in the DDoS attack (i.e. the unsecured Memcached server) Corero decided to share this discovery with national security agencies to allow them to determine if and when to more widely execute this countermeasure. Corero’s SmartWall® threat defense customers can immediately benefit from this discovery too; at their option, automatically sending the necessary command to any attacking server to immediately suppress all attacks.
Perhaps even more shockingly, Corero also disclosed that the same Memcached vulnerability can also be used for data exfiltration (i.e. theft to most of us) and even data modification. The difference in this case is that the victim is the organization that has the unsecured Memcached server. Thankfully, the same Corero discovery can temporarily take care of the problem.
The lasting solution to both the DDoS amplification and data exfiltration/modification threats are to secure the Memcached servers. However, with over 95,000 of these servers currently exposed on the Internet, Corero expects that we’ll be seeing these amplification attacks for many months to come.
To find out more, contact us.