Posted on March 9, 2018 at 7:31 AM
Memcached DDoS Attacks Exposed through PoC codes and IP address
A recent massive DDoS attack against GitHub.com website and a 1.7 Tbps of DDoS on a US firm have been supported by weak Memcached servers.
For most people, it was unknown how these attacks were taking advantage of Memcached servers for this purpose. But the secret was already unveiled. 17,000 IP addresses of insecure servers along with a group of concept codes are now available for everyone, including hackers. It substantially increases the risk of massive DDoS attacks as it is only necessary to have basic knowledge of coding and scripts.
The three PoC codes were published on separate dates using different methods. The first was written in C language and added 17,000 weak Memcached servers. The second created a tool written in Python language which was developed by @37 Twitter account responsible. This tool relies on Shodan search engine to find weak Memcached servers. These servers are used to deliver fake UDP packs. The last PoC code was also published on Twitter on March 3rd, but this time through the @the_ens account.
#memecached UDP 50,000x AMP attack IP-Spoof POC. syntax args: <victim_ip> <memecache_ip>
use Socket;socket R,2,3,255;setsockopt R,0,1,1;send R,pack("H*x4H*a4a4H*Z*",45000019,"52110000",(map{inet_aton$_}@ARGV),"fefe2bcb0017"."0"x14,"x01x00x00statsrn"),0,pack"Sna4x8",2,60,pop
— ens (@the_ens) March 3, 2018
Memcached servers function as web-based memory caches. They help to improve the reaction speed for database driven websites and better their memory caching system. It happens because the servers store the information that is frequently recovered. It avoids going back to the hard disk to retrieve the same information when needed. Memcached servers offer immense memory reserves because it brilliantly combines an open source software along with a standard server hardware.
What makes Memcached servers so vulnerable is a defective UDP protocol. It allows that anyone can access them and start massive DDoS without scandal.
Hackers already had their own techniques to launch these attacks. But adding Memcached servers´ vulnerability to their list implies a significant increase of the impact to the point of making it a massive attack. Easy access to them through the Internet makes it even easier and faster.
According to some researchers, it may be considered as an amplification attack. Researchers also detected that the attack was launched using the Memcached protocol that came from UDP port 11211. They considered it as the source of the amplification.
Attackers can also start their massive attacks with low IP spoofing capacity. If this happens, Memcached would respond fake IP addresses while the amplification takes place. The real target would remain unprotected. It explains what happened to GitHub.com.
Most of the vulnerable Memcached servers are located in North America and Europe. The total number around the world may reach up to 88,000. It creates a serious risk that large-scale DDoS attacks become a worldwide tendency.