Live Updates : Memcached DDoS Attacks, Mitigation, and Kill Switch

Attackers have found a new way of launching DDoS attacks, using the Universal Plug and Play (UPnP) protocol. Using this protocol, attackers can mask the source of a launched DDoS attack making it difficult for victims to detect and mitigate the issue. Using UPnP as a method to alter port mapping, the malicious "payloads would originate from irregular source ports." This makes tools designed for blacklisting the traffic essentially useless.

?https://www.techrepublic.com/article/upnp-protocol-exploit-makes-it-harder-for-it-to-shut-down-ddos-attacks/

Academics from Vrije University and University of Cyprus have discovered a way for launching Rowhammer attacks via network packets and network cards. The newly discovered method makes it easier and much more convenient to launch the Rowhammer attacks. The new attack method is named Throwhammer.

For more details:

https://www.bleepingcomputer.com/news/security/researchers-come-up-with-a-way-to-launch-rowhammer-attacks-via-network-packets/

On 28th February, exposed memcached servers were used to launch the largest recorded (1.3 Tbps) DDoS attack. These attacks were a wake up call for developers that attackers haven't stopped looking for new pools of vulnerable protocols and services to exploit. Developers need to understand that security should be made the primary concern from the development stage of a piece of software through to its end of life.

Almost every organization has been affected by a DDoS (Distributed Denial of Service) attack, either directly or indirectly, at one point. Hence, businesses must make sure they are prepared to thwart the attacks. Here are few recommendations to prepare for a DDoS attack:

  

Source: https://www.darkreading.com/endpoint/privacy/why-ddos-just-wont-die/d/d-id/1331734

Kaspersky Labs released its latest Q1 2018 DDoS Intelligence Report, based on data from Kaspersky DDoS Intelligence. As per the report, overall in the first quarter of 2018, DDoS botnets attacked online resources in 79 countries. Most of the attacks were in China, the US and South Korea. The longest DDoS attack lasting 297 hours (more than 12 days) was also recorded recorded in 2018.

For more details: https://securelist.com/ddos-report-in-q1-2018/85373/

Kaspersky Labs released its quarterly report on DDoS Intelligence and expected the popularity of the Memcached-based attacks to be short-lived because these attacks not only affect their targets, but also the companies unwittingly involved in carrying out the attacks. Memcached service was being used by hackers in order to to attack another service and generate huge volumes of outgoing traffic that the web resources crash. Thus, these unwitting accomplices soon notice the higher load and quickly patch the vulnerabilities to avoid losses, thereby reducing the number of servers available to attackers.

Source: http://www.dqindia.com/kaspersky-lab-ddos-intelligence-quarterly-report-amplification-attacks-old-botnets-make-comeback/

GitHub released its plan to expand its scan to Python dependencies later this year, after the Equifax data breach demonstrated the serious consequences of having vulnerable open-source software libraries.

As per GitHub, it found around 4 million security flaws in more than half a million repositories. Security alerts have been issued to projects' admins in their dependency graphs and repository home pages.

Russian officials are claiming that their Central Election Commission's website was targeted by a massive DDoS (Distributed Denial of Service) attack, which was successfully repelled. The malicious traffic was generated IP addresses from 15 different countries, on March 18. This incident disproves the accusations made by U.S. and global intelligence agencies that Russia sponsors offensive cyberattacks and cyber espionage activities against Western nations. However, it is also conceivable that Moscow officials fabricated or exaggerated an attack as part of a disinformation or propaganda campaign.

Hackers are advertising a new DDoS-as-a-service tool that, according to advertisements posted on Pastebin, can generate 350Gbps via DNS amplification attacks. The ad posted this month also claims that the tool is capable of executing the memcached amplification attack.

Memcached attack size has been declining ever since companies have put forth the cleanup and mitigation efforts. Meanwhile, Intel and Micron have developed a new type of storage for data centers called 3D Xpoint. This is designed to improve the speed of storage and latency by reducing processor wait times. Storing and retrieving data will also become much faster when compared to today's solid-state drives.

Security researchers have declared that no new attacks were reported over the weekend.

For most of the last week, the attack volumes kept increasing. Qihoo 360 stated that it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.

The memcached DDoS attacks have affected major websites--including Google, Playstation and several NRA domains. Here is a consolidated list of affected websites:

QQ (qq[.]com)

360 (360[.]com)

Amazon (Amazon[.]com)

Google (Googleusercontent[.]com)

Avast (Avast[.]com)

Kaspersky Labs (Kaspersky-labs[.]com)

Brian Krebs (krebsonsecurity[.]com)

Epoch Times (Epochtimes[.]com)

PlayStation (PSN) (Playstation[.]net)

Minecraft (Minecraft[.]net)

GTA developers Rockstar Games (Rockstargames[.]com)

Pornhub (Pornhub[.]com)

HomePornBay (HomePornBay[.]com)

NRA Carry Guard (Nracarryguard[.]com)

The NRA Foundation (Nrafoundation[.]org)

The National Rifle Association of America (NRA) (Nra[.]org)

The ongoing cleanup and mitigation efforts have decreased the size of the DDoS attacks considerably. CTO of CloudFlare, Graham-Cumming, has commented that the attacks have reduced to a point that now, they are small compared to other DDoS vectors. As researchers continue to shutdown the vulnerable servers, the volume of memcached attacks will gradually decrease.

Researchers have assigned the memcached issue with the identifier CVE-2018-1000115. This identifies memcached version 1.5.5 as having an "Insufficient control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood".

A new tool, named Memfixed, that can help victims of memcached-based DDoS attacks has been released by security researchers. The tool allows victims to send a "flush_all" command to each IP in part, or to a group of multiple attacking IPs. Thus, they can erase the cached memory of a Memcached server, including the malicious payload that is executing the DDoS attack.

https://www.bleepingcomputer.com/news/security/memfixed-tool-helps-mitigate-memcached-based-ddos-attacks/

Various researchers have published a proof-of-concept code that can be adapted by hackers. Among them is the Python script "Memcrashed.py" which integrates with the Shodan search engine to find vulnerable servers--that can be used to launch attacks. Alternatively, hackers can also use a version in C that uses a static list of vulnerable servers was uploaded to Pastebin.

A memcached developer tweeted that, because the vulnerable Memcached server IP is not spoofed, it is easy to disable them by sending the "shutdown\r\n" or "running 'flush_all\r\n' command in a loop. Though this vulnerability has been patched in memcached 1.5.6, which now disables the vulnerable UDP version of the protocol by default, researchers are bewildered by the existence of a UDP-facing protocol in memcached in the first place.

More than 95,000 servers have been discovered to be vulnerable to DDoS attacks. The risk occurs due to the memcached open source utility designed to cache in RAM frequently used web pages. Even though the web page caching utility was initially not designed to be internet-accessible and can be accessible without authentication; as the TCP or UDP port 11211 were left open to internet-borne requests, the attacks were possible.

Several observations have been made regarding websites associated with the NRA (US National Rifle Association) domains going down due to the memcached-based DDoS attacks. The three official NRA domains--nra.org, nrafoundation.org, and nracarryguard.com--have also been targeted.

Qihoo 360's Network Security Research Laboratory (Netlab), published few statistics in connection with the new Memcached-based DDoS attack vector. The statistics revealed that large tech companies are among the top targets, including Chinese Internet portals QQ.com and 360.com,and Google and Amazon. The list of targets also includes the porn industry (PornHub, HomePornBay), the gaming industry (Play Station, Minecraft, Rockstar Games), and cyber-security companies (Avast, Kaspersky Lab, Qihoo 360).

Attackers can use two separate exploits in order to lower the bar for waging these new types of attacks.

1) Memcrashed : This exploit prompts users to to enter the IP address to be targeted, and automatically uses Shodan to locate unsecured memcached servers and abuses them.

2) This exploit relies on a static list of 17,000 unsecured memcached servers to wage assaults against targets.

http://blog.netlab.360.com/memcache-udp-reflection-amplification-attack-ii-the-targets-the-sources-and-breakdowns-en/

A kill switch has been disclosed by Corero Network Security. Researchers of the firm discovered that any exposed memcached server that can be leveraged for a DDoS attack can also be tricked into sharing user data it has cached from its local network or host. This is possible as memcached servers don't use authentication. Attackers can also modify the cache without owners' knowledge.

For more details:

https://www.corero.com/company/newsroom/press-releases/corero-network-security-discovers-memcached-ddos-attack-kill-switch-and-also-reveals-memcached-exploit-can-be-used-to-steal-or-corrupt-data/

The DDoS attacks have been found accompanied by ransom notes that say "Pay 50 XMR" along with the address to a wallet. XMR denotes the Monero cryptocurrency. This is a new way of sending ransom notes without using email services.

As per a blog post released by Arbor Networks on 5th March, 2018, that a 1.7-terabit-per-second DoS attack was launched against the customer of a U.S. based internet service provider. No other details of the victim have been revealed. The blog post also said that the ISP had proper defenses in place and that no outages were reported.

Memcached servers listen on UDP port 11211 by default. This can be exploited to produce DDoS amplification attacks by sending the memcached server a UDP packet with a spoofed IP containing a message asking for statistics. This, in turn causes the server to return an enormous message to the victim. Attackers can also deliver massive packers using the exploitable DDoS amplification vectors, without the need to control a botnet of hacked devices.

For more details: https://www.imperva.com/blog/2018/03/new-ddos-amplification-attack-vector-via-memcached-servers/

As per a blog post written by Brian Krebs, Cybereason found that hackers behind the memcached attacks were embedding ransom notes and payment addresses into the junk traffic sent via their attacks. A note demanding 50 XMR or Monero has been found by Akamai.

Cybereason says that hackers are attacking people with continuously repeated ransom notes. Messages are repeated until the file size reaches one megabyte, which is then requested from Memcache servers over and over. When files are bounced through multiple Memcached servers, the result is a massive amount of information, with a very simple script.

Source: https://krebsonsecurity.com/2018/03/powerful-new-ddos-method-adds-extortion/

A 1.35-terabit-per-second denial of service (DoS) attack has targeted GitHub on Wednesday (28th February, 2018). This attack counts as the most powerful denial of service barrage against a single site. Compared to the 2016 Mirai botnet attacks, the size of the DDoS attacks is much bigger.

Hackers used an attack technique called amplification attack in order to launch the DoS attack against GitHub. An attacker spoofs their IP address to look like the victim’s IP address. They send a forged request to a vulnerable memcached server — databases that are meant to speed up networks but lately are abused because many are inadvertently exposed to the public internet. That’s a problem receiving more attention in the aftermath of this attack.

Now, the server responds to the victim’s IP address with response packets that are much larger than the original queries. Thus, an attacker with 1-gigbit-per-second capacity can ultimately launch a 100-Gbps attack.

Source: https://www.cyberscoop.com/github-denial-of-service-amplification-attack/

A China-based researcher group has credited the concept of memcached reflection to a 2014 security conference talk. Then, Black Hat introduced a concept called “Memcached injection,” -- which by speculation gave way for these attacks.

Memcached servers are used to allow applications that need access to data from external databaseto speed up page load time and deal with spikes in demands to cache part of the data in memory in order to access it much more quickly. These servers are used by various organizations to speed up page load time and deal with spikes in demand. Generally these servers are used internally (inaccessible through public internet) within a trusted network to improve internal application performance.