Mitigation against Memcached-Based DDoS Attacks Discovered - How to, Technology and PC Security Forum |

Mitigation against Memcached-Based DDoS Attacks Discovered

DDoS attacks based on Memcached servers can now be mitigated, researchers say. The mitigation method includes the victim sending a “flush_all” command back to the servers that initiated the attack. This method was suggested few days ago by one of the Memcached server developers.

Related Story: DDoS Attack Exploits Flaws in WordPress via an Encrypted Channel

However, no one really paid attention to it until the moment when a company, Corero, said it integrated this technique… and it worked.

This is the original tip given by Memcached developer dormando:

For what it’s worth, if you’re getting attacked by memcached’s, it’s pretty easy to disable them since the source won’t be spoofed. They may accept “shutdown\r\n”, but also running “flush_all\r\n” in a loop will prevent amplification.

Corero security experts said that the method is 100 percent effective during a live attack, and that they haven’t observed any collateral damage.

DDoS Attacks Happening via Memcached Servers Flaw

As already wrote, just last week a record-breaking DDoS attack took place – registered at 1.3 Tbps. The target was GitHub, with the attack being based on a flaw in Memcached servers which was made public just recently. It became evident that cybercriminals can exploit Memcached servers to carry out large-scale DDoS attacks that don’t require a lot of computational resources, according to the researchers.

Few more days passed, and another record-breaking, large-scale DDoS took place – an attack at 1.7 Tbps which was detected by Netscout Arbor. The attack targeted a customer of a US-based service provider. Not surprisingly, the DDoS was based on the same memcached reflection/amplification method known from the attack on GitHub.

Related Story: CVE-2018-6789 Exim Flaw Exposes 400,000 Email Servers

It is now known that companies that haven’t deployed specialized DDoS mitigation services may implement scripts that integrate the following commands – “shutdown” and “flush_all”, as recommended by the Memcached developer. These two commands serve to close down attacking servers, and clear any cache with malicious packets that are at fault for the amplification effect of these latest DDoS attacks.

The good news is that Memcached v1.5.6 is fixing this issue leading to DDoS attacks. The attacks could happen because the servers were accessible online. Their default configuration exposed port11211 leveraged by attackers to amplify DDoS attacks.

The Memcached team is currently addressing this issue identified as CVE-2018-1000115.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share