Memcached DDoS: This ‘kill switch’ can stop attacks dead in their tracks

Researchers find a technique to contain the memcached amplification attacks seen over the past week.






The 1Tbps-plus memcached amplification attacks that hammered GitHub and other networks over the past week can be disarmed with a “practical kill switch”, according to DDoS protection firm Corero.

The potency of the attacks is due to memcached servers amplifying a target’s spoofed IP address requests by a factor of 50,000.

The attackers are sending forged UDP protocol packets to UDP-enabled memcached servers that are open on the internet, which in response send many more UDP packets to the target.

Corero says its kill switch sends a ‘flush all’ command to the attacking server that suppresses the flood of traffic by invalidating a vulnerable memcached server’s cache.

The company says it’s tested it on real attacking servers and that it “appears to be 100 percent effective”.

The memcached issue has now been assigned the identifier CVE-2018-1000115, which identifies memcached version 1.5.5 as having an “Insufficient control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood”.

Memcached servers should be updated to version 1.5.6, released by memcached developers in the wake of the amplification attacks. The updated version disables the UDP protocol by default, meaning it needs to be explicitly enabled.

This update should address the emergence of a pre-configured memcached attack tool posted on GitHub and Pastebin that allows anyone to send forged UDP packets to several thousand memcached servers identified through the Shodan search engine.

Public alarm over the massive DDoS attacks appears to have had a positive effect on efforts to shutdown memcached abuse.

Before GitHub’s attack, Rapid7’s Project Sonar internet scanner detected nearly 140,000 open memcached devices. However, as of March 1, this has dropped to 58,000. Exposed memcached servers with UDP enabled have also fallen from 18,000 on March 1 to under 12,000 on March 5.

However, Rapid7 notes there thousands of exposed memcached servers running various versions released over the past decade that are “riddled” with vulnerabilities, including remote code execution flaws that could allow them to be used as part of a botnet.