Corero Network Security Discovers Memcached DDoS Attack “Kill Switch” And Also Reveals Memcached Exploit Can Be Used to Steal or Corrupt Data

Corero Network Security Discovers Memcached DDoS Attack “Kill Switch” And Also Reveals Memcached Exploit Can Be Used to Steal or Corrupt Data

  • Corero active defence countermeasure benignly “suppresses” Memcached DDoS attack threat while leaving compromised servers online;
  • Corero researchers reveal that Memcached can be exploited by attackers to steal or modify data from vulnerable Memcached servers;
  • ‘Kill switch’ is available to Corero customers to defend themselves. Corero Smartwall can issue this command in response to incoming attacks. Corero has also disclosed the fix to national security agencies;
  • Memcached DDoS attacks or Memcached data theft is currently a potential issue for up to 95,000 vulnerable servers worldwide.

MARLBOROUGH, Mass., and LONDON, UK, March 7, 2018 – Corero Network Security has today disclosed the existence of a practical “kill switch” countermeasure for the Memcached vulnerability, responsible for some of the largest DDoS attacks ever recorded, to national security agencies.  At the same time, the company has revealed that the vulnerability is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable Memcached servers.

Memcached is an open source memory caching system that stores data in RAM to speed up access times.  It was not originally designed to be accessible from the Internet, as access does not require authentication. The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic. In the last week, these massive attacks have overwhelmed specific targets such as GitHub, and flooded service providers to degrade service availability.

There are currently over 95,000 servers worldwide answering on TCP or UDP port 11211 from the internet, which could potentially be used by attackers to launch DDoS attacks or expose customer data.

Ashley Stephenson, CEO at Corero Network Security, explains: “Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.”

More Complex Capabilities

Any Memcached server that can be forced into participating in a DDoS attack towards the Internet can also be coaxed into divulging user data it has cached from its local network or host. This may include confidential database records, website customer information, emails, API data, Hadoop information and more.

The Memcached protocol was designed to be used without logins or passwords, meaning that anything you add to a vulnerable Memcached server can be stolen by anyone on the internet, without a login, password or audit trail. By using a simple debug command, hackers can reveal the ‘keys’ to your data and retrieve the owner’s data from the other side of the world. Additionally, it is also possible to maliciously modify the data and reinsert it into the cache without the knowledge of the Memcached owner.

Despite repeated warnings by the Memcached developer community and large IT vendors about security risks, default configurations for some of the latest operating systems and cloud computer services still allow ubiquitous access to the Memcached service and customers’ private data.

Ashley Stephenson explains: “While this blatant lapse of security is relatively clear to the accomplished security practitioner or hacker, it is not known to the increasingly business-oriented, non-technical user who is clicking a button to set up a new server in the cloud. There are dozens of US-CERT CVE and obscure security warnings related to Memcached but few of them address the clearly obvious issue of leaving the front door open on the internet for anyone to come in and take your data.”

The Kill Switch

This week, Corero discovered an effective ‘kill switch’ to the Memcached vulnerability that sends a command back to an attacking server to suppress the current DDoS exploitation. The “flush_all” countermeasure has been disclosed to national security agencies for action. It invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers.

The countermeasure quench packet has been tested on live attacking servers and appears to be 100% effective. It has not been observed to cause any collateral damage.

Ashley Stephenson continues: "Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes.”

About Corero Network Security

Corero Network Security is the leader in real-time, high-performance DDoS defense solutions. Service providers, hosting providers and digital enterprises rely on Corero’s award winning technology to eliminate the DDoS threat to their environment through automatic attack detection and mitigation, coupled with complete network visibility, analytics and reporting. This industry leading technology provides cost effective, scalable protection capabilities against DDoS attacks in the most complex environments while enabling a more cost effective economic model than previously available. For more information, visit

Media contacts:

For further information or interview/comment requests, please contact:

Julia Langsman / Elizabeth Nikolova
Eskenzi PR
+44 207 1832 838 / +44 7879 495159 /

Jan Wiedrick-Kozlowski / Maureen MacGregor
(978) 473-1016 /