DDoS attacks based on Memcached servers can now be mitigated, researchers say. The mitigation method includes the victim sending a “flush_all” command back to the servers that initiated the attack. This method was suggested few days ago by one of the Memcached server developers.
However, no one really paid attention to it until the moment when a company, Corero, said it integrated this technique… and it worked.
This is the original tip given by Memcached developer dormando:
For what it’s worth, if you’re getting attacked by memcached’s, it’s pretty easy to disable them since the source won’t be spoofed. They may accept “shutdown\r\n”, but also running “flush_all\r\n” in a loop will prevent amplification.
Corero security experts said that the method is 100 percent effective during a live attack, and that they haven’t observed any collateral damage.
DDoS Attacks Happening via Memcached Servers Flaw
As already wrote, just last week a record-breaking DDoS attack took place – registered at 1.3 Tbps. The target was GitHub, with the attack being based on a flaw in Memcached servers which was made public just recently. It became evident that cybercriminals can exploit Memcached servers to carry out large-scale DDoS attacks that don’t require a lot of computational resources, according to the researchers.
Few more days passed, and another record-breaking, large-scale DDoS took place – an attack at 1.7 Tbps which was detected by Netscout Arbor. The attack targeted a customer of a US-based service provider. Not surprisingly, the DDoS was based on the same memcached reflection/amplification method known from the attack on GitHub.
It is now known that companies that haven’t deployed specialized DDoS mitigation services may implement scripts that integrate the following commands – “shutdown” and “flush_all”, as recommended by the Memcached developer. These two commands serve to close down attacking servers, and clear any cache with malicious packets that are at fault for the amplification effect of these latest DDoS attacks.
The good news is that Memcached v1.5.6 is fixing this issue leading to DDoS attacks. The attacks could happen because the servers were accessible online. Their default configuration exposed port11211 leveraged by attackers to amplify DDoS attacks.
The Memcached team is currently addressing this issue identified as CVE-2018-1000115.