- Corero active defence countermeasure benignly “suppresses” Memcached
DDoS attack threat while leaving compromised servers online;
- Corero researchers reveal that Memcached can be exploited by attackers
to steal or modify data from vulnerable Memcached servers;
- ‘Kill switch’ is available to Corero customers to defend themselves.
Corero Smartwall can issue this command in response to incoming
attacks. Corero has also disclosed the fix to national security
- Memcached DDoS attacks or Memcached data theft is currently a
potential issue for up to 95,000 vulnerable servers worldwide.
MARLBOROUGH, Mass. & LONDON–(BUSINESS WIRE)–Corero Network Security has today disclosed the existence of a practical
“kill switch” countermeasure for the Memcached vulnerability,
responsible for some of the largest DDoS attacks ever recorded, to
national security agencies. At the same time, the company has revealed
that the vulnerability is more extensive than originally reported – and
can also be used by attackers to steal or modify data from the
vulnerable Memcached servers.
Memcached is an open source memory caching system that stores data in
RAM to speed up access times. It was not originally designed to be
accessible from the Internet, as access does not require authentication.
The exploit works by allowing attackers to generate spoof requests and
amplify DDoS attacks by up to 50,000 times to create an unprecedented
flood of attack traffic. In the last week, these massive attacks have
overwhelmed specific targets such as GitHub, and flooded service
providers to degrade service availability.
There are currently over 95,000 servers worldwide answering on TCP or
UDP port 11211 from the internet, which could potentially be used by
attackers to launch DDoS attacks or expose customer data.
Ashley Stephenson, CEO at Corero Network Security, explains: “
represents a new chapter in DDoS attack executions. Previously, the most
recent record-breaking attacks were being orchestrated from relatively
low bandwidth Internet of Things (IoT) devices. In contrast, these
Memcached servers are typically connected to higher bandwidth networks
and, as a result of high amplification factors, are delivering data
avalanches to crippling effect. Unless operators of Memcached servers
take action, these attacks will continue
More Complex Capabilities
Any Memcached server that can be forced into participating in a DDoS
attack towards the Internet can also be coaxed into divulging user data
it has cached from its local network or host. This may include
confidential database records, website customer information, emails, API
data, Hadoop information and more.
The Memcached protocol was designed to be used without logins or
passwords, meaning that anything you add to a vulnerable Memcached
server can be stolen by anyone on the internet, without a login,
password or audit trail. By using a simple debug command, hackers can
reveal the ‘keys’ to your data and retrieve the owner’s data from the
other side of the world. Additionally, it is also possible to
maliciously modify the data and reinsert it into the cache without the
knowledge of the Memcached owner.
Despite repeated warnings by the Memcached developer community and large
IT vendors about security risks, default configurations for some of the
latest operating systems and cloud computer services still allow
ubiquitous access to the Memcached service and customers’ private data.
Ashley Stephenson explains:
“While this blatant lapse of security is
relatively clear to the accomplished security practitioner or hacker, it
is not known to the increasingly business-oriented, non-technical user
who is clicking a button to set up a new server in the cloud. There are
dozens of US-CERT CVE and obscure security warnings related to Memcached
but few of them address the clearly obvious issue of leaving the front
door open on the internet for anyone to come in and take your data.”
The Kill Switch
This week, Corero discovered an effective ‘kill switch’ to the Memcached
vulnerability that sends a command back to an attacking server to
suppress the current DDoS exploitation. The “flush_all” countermeasure
has been disclosed to national security agencies for action. It
invalidates a vulnerable servers’ cache, including the large,
potentially malicious payload planted there by attackers.
The countermeasure quench packet has been tested on live attacking
servers and appears to be 100% effective. It has not been observed to
cause any collateral damage.
Ashley Stephenson continues: “
Ironically, the Memcached utility
was intended to cache frequently-used web pages and data to boost
legitimate performance. But this utility has now been weaponized to
exploit its performance boosting potential for illegitimate purposes.”
About Corero Network Security
Corero Network Security is the
leader in real-time, high-performance DDoS defense solutions. Service
providers, hosting providers and digital enterprises rely on Corero’s
award winning technology to eliminate the DDoS threat to their
environment through automatic attack detection and mitigation, coupled
with complete network visibility, analytics and reporting. This industry
leading technology provides cost effective, scalable protection
capabilities against DDoS attacks in the most complex environments while
enabling a more cost effective economic model than previously available.
For more information, visit www.corero.com .
Julia Langsman, +44 207 1832 838
Nikolova, +44 7879 495159
Do you think you can beat this Sweet post?
If so, you may have what it takes to become a Sweetcode contributor…Learn More.