Go to listing page

Live Updates : Memcached DDoS Attacks, Mitigation, and Kill Switch

Live Updates : Memcached DDoS Attacks, Mitigation, and Kill Switch

Share Blog Post

(Update: May 17, 3:00 AM EST)

UPnP protocol
Attackers have found a new way of launching DDoS attacks, using the Universal Plug and Play (UPnP) protocol. Using this protocol, attackers can mask the source of a launched DDoS attack making it difficult for victims to detect and mitigate the issue. Using UPnP as a method to alter port mapping, the malicious "payloads would originate from irregular source ports." This makes tools designed for blacklisting the traffic essentially useless.



(Update: May 10, 4:00 AM EST)

New way of launching Rowhammer attacks
Academics from Vrije University and University of Cyprus have discovered a way for launching Rowhammer attacks via network packets and network cards. The newly discovered method makes it easier and much more convenient to launch the Rowhammer attacks. The new attack method is named Throwhammer.

For more details:


(Update: May 09, 4:00 AM EST)

A reflection on Memcached attacks
On 28th February, exposed memcached servers were used to launch the largest recorded (1.3 Tbps) DDoS attack. These attacks were a wake up call for developers that attackers haven't stopped looking for new pools of vulnerable protocols and services to exploit. Developers need to understand that security should be made the primary concern from the development stage of a piece of software through to its end of life.

Be prepared for multi-vector attacks
Almost every organization has been affected by a DDoS (Distributed Denial of Service) attack, either directly or indirectly, at one point. Hence, businesses must make sure they are prepared to thwart the attacks. Here are few recommendations to prepare for a DDoS attack:
  • Establish a security policy, including how you'll enact and enforce it
  • Track issues that are security risks
  • Enact a business continuity/disaster recovery plan
  • Employ good security hygiene
  • Create an incident response plan that operates hand-in-hand with a business continuity/disaster recovery plan
  • Have a multi-pronged response plan, so that while you're being DDoSed, your data isn't also getting stolen in the background
  • Execute tabletop attack exercises
  • Hire external penetration tests
  • Conduct user security awareness and training
  • Change all factory-default passwords in devices
  • Know your supply chain and any potential risks they bring
  • Use DDoS traffic scrubbers, DDoS mitigation services
Source: https://www.darkreading.com/endpoint/privacy/why-ddos-just-wont-die/d/d-id/1331734


(Update: April 30, 5:00 AM EST)

DDoS Intelligence by Kaspersky
Kaspersky Labs released its latest Q1 2018 DDoS Intelligence Report, based on data from Kaspersky DDoS Intelligence. As per the report, overall in the first quarter of 2018, DDoS botnets attacked online resources in 79 countries. Most of the attacks were in China, the US and South Korea. The longest DDoS attack lasting 297 hours (more than 12 days) was also recorded recorded in 2018.

For more details: https://securelist.com/ddos-report-in-q1-2018/85373/

Memcached-type attacks are shortlived
Kaspersky Labs released its quarterly report on DDoS Intelligence and expected the popularity of the Memcached-based attacks to be short-lived because these attacks not only affect their targets, but also the companies unwittingly involved in carrying out the attacks. Memcached service was being used by hackers in order to to attack another service and generate huge volumes of outgoing traffic that the web resources crash. Thus, these unwitting accomplices soon notice the higher load and quickly patch the vulnerabilities to avoid losses, thereby reducing the number of servers available to attackers.

Source: http://www.dqindia.com/kaspersky-lab-ddos-intelligence-quarterly-report-amplification-attacks-old-botnets-make-comeback/


(Update: March 23, 6:00 AM EST)

GitHub to expand scan to Python dependencies
GitHub released its plan to expand its scan to Python dependencies later this year, after the Equifax data breach demonstrated the serious consequences of having vulnerable open-source software libraries.
As per GitHub, it found around 4 million security flaws in more than half a million repositories. Security alerts have been issued to projects' admins in their dependency graphs and repository home pages.


(Update: March 21, 4:00 AM EST)

DDoS attack on Russian election website
Russian officials are claiming that their Central Election Commission's website was targeted by a massive DDoS (Distributed Denial of Service) attack, which was successfully repelled. The malicious traffic was generated IP addresses from 15 different countries, on March 18. This incident disproves the accusations made by U.S. and global intelligence agencies that Russia sponsors offensive cyberattacks and cyber espionage activities against Western nations. However, it is also conceivable that Moscow officials fabricated or exaggerated an attack as part of a disinformation or propaganda campaign.

Hackers are advertising a new DDoS-as-a-service tool that, according to advertisements posted on Pastebin, can generate 350Gbps via DNS amplification attacks. The ad posted this month also claims that the tool is capable of executing the memcached amplification attack.


(Update: March 14, 5:00 AM EST)

New type of storage data
Memcached attack size has been declining ever since companies have put forth the cleanup and mitigation efforts. Meanwhile, Intel and Micron have developed a new type of storage for data centers called 3D Xpoint. This is designed to improve the speed of storage and latency by reducing processor wait times. Storing and retrieving data will also become much faster when compared to today's solid-state drives.


(Update: March 12, 2:00 AM EST)

No new attacks
Security researchers have declared that no new attacks were reported over the weekend.
For most of the last week, the attack volumes kept increasing. Qihoo 360 stated that it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.


(Update: March 10, 2:00 AM EST)

Google, Playstation among the affected
The memcached DDoS attacks have affected major websites--including Google, Playstation and several NRA domains. Here is a consolidated list of affected websites:
QQ (qq[.]com)
360 (360[.]com)
Amazon (Amazon[.]com)
Google (Googleusercontent[.]com)
Avast (Avast[.]com)
Kaspersky Labs (Kaspersky-labs[.]com)
Brian Krebs (krebsonsecurity[.]com)
Epoch Times (Epochtimes[.]com)
PlayStation (PSN) (Playstation[.]net)
Minecraft (Minecraft[.]net)
GTA developers Rockstar Games (Rockstargames[.]com)
Pornhub (Pornhub[.]com)
HomePornBay (HomePornBay[.]com)
NRA Carry Guard (Nracarryguard[.]com)
The NRA Foundation (Nrafoundation[.]org)
The National Rifle Association of America (NRA) (Nra[.]org)

Full-fledged patching
The ongoing cleanup and mitigation efforts have decreased the size of the DDoS attacks considerably. CTO of CloudFlare, Graham-Cumming, has commented that the attacks have reduced to a point that now, they are small compared to other DDoS vectors. As researchers continue to shutdown the vulnerable servers, the volume of memcached attacks will gradually decrease.


(Update: March 9, 6:00 AM EST)

Identifier assigned
Researchers have assigned the memcached issue with the identifier CVE-2018-1000115. This identifies memcached version 1.5.5 as having an "Insufficient control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood".
Updating to memcached servers to version 1.5.6 will disable the UDP protocol by default and thus stops the amplification attacks.


(Update: March 9, 4:00 AM EST)

Memfixed tool
A new tool, named Memfixed, that can help victims of memcached-based DDoS attacks has been released by security researchers. The tool allows victims to send a "flush_all" command to each IP in part, or to a group of multiple attacking IPs. Thus, they can erase the cached memory of a Memcached server, including the malicious payload that is executing the DDoS attack.

Instructions for use:

Python script "Memcrashed.py"
Various researchers have published a proof-of-concept code that can be adapted by hackers. Among them is the Python script "Memcrashed.py" which integrates with the Shodan search engine to find vulnerable servers--that can be used to launch attacks. Alternatively, hackers can also use a version in C that uses a static list of vulnerable servers was uploaded to Pastebin.

Vulnerability in memcached
A memcached developer tweeted that, because the vulnerable Memcached server IP is not spoofed, it is easy to disable them by sending the "shutdown\r\n" or "running 'flush_all\r\n' command in a loop. Though this vulnerability has been patched in memcached 1.5.6, which now disables the vulnerable UDP version of the protocol by default, researchers are bewildered by the existence of a UDP-facing protocol in memcached in the first place.

Servers vulnerable to DDoS attacks
More than 95,000 servers have been discovered to be vulnerable to DDoS attacks. The risk occurs due to the memcached open source utility designed to cache in RAM frequently used web pages. Even though the web page caching utility was initially not designed to be internet-accessible and can be accessible without authentication; as the TCP or UDP port 11211 were left open to internet-borne requests, the attacks were possible.


(Update: March 8, 12:00 PM EST)

Attacks on NRA domains
Several observations have been made regarding websites associated with the NRA (US National Rifle Association) domains going down due to the memcached-based DDoS attacks. The three official NRA domains--nra.org, nrafoundation.org, and nracarryguard.com--have also been targeted.

Statistics on memcached DDoS
Qihoo 360's Network Security Research Laboratory (Netlab), published few statistics in connection with the new Memcached-based DDoS attack vector. The statistics revealed that large tech companies are among the top targets, including Chinese Internet portals QQ.com and 360.com,and Google and Amazon. The list of targets also includes the porn industry (PornHub, HomePornBay), the gaming industry (Play Station, Minecraft, Rockstar Games), and cyber-security companies (Avast, Kaspersky Lab, Qihoo 360).

Two separate exploits
Attackers can use two separate exploits in order to lower the bar for waging these new types of attacks.
1) Memcrashed : This exploit prompts users to to enter the IP address to be targeted, and automatically uses Shodan to locate unsecured memcached servers and abuses them.
2) This exploit relies on a static list of 17,000 unsecured memcached servers to wage assaults against targets.

Frequency of the attacks
Netlab says that before February 24, it recorded less than 50 Memcached-based DDoS attacks per day. Between February 24 and February 28 this number grew to 372 per day, then to 1,938 between March 1 and March 5, and the company recorded 2,008 DDoS attacks yesterday, on March 7.



(Update: March 7, 9:00 AM EST)

Kill switch for memcached vulnerability
A kill switch has been disclosed by Corero Network Security. Researchers of the firm discovered that any exposed memcached server that can be leveraged for a DDoS attack can also be tricked into sharing user data it has cached from its local network or host. This is possible as memcached servers don't use authentication. Attackers can also modify the cache without owners' knowledge.

The kill switch has been tested on live attacking servers. It works by sending a command back to the attackers' server to suppress the current DDoS exploitation. This invalidates the cache of a vulnerable server, including attackers' potentially malicious payload.

For more details:


(Update: March 6, 7:00 AM EST)

Ransom demands
The DDoS attacks have been found accompanied by ransom notes that say "Pay 50 XMR" along with the address to a wallet. XMR denotes the Monero cryptocurrency. This is a new way of sending ransom notes without using email services.


(Update: March 5, 10:00 AM EST)

Attack on Arbor Networks
As per a blog post released by Arbor Networks on 5th March, 2018, that a 1.7-terabit-per-second DoS attack was launched against the customer of a U.S. based internet service provider. No other details of the victim have been revealed. The blog post also said that the ISP had proper defenses in place and that no outages were reported.
The same memcached tactic that was used to launch attacks against GitHub was used here.

Exploitation method
Memcached servers listen on UDP port 11211 by default. This can be exploited to produce DDoS amplification attacks by sending the memcached server a UDP packet with a spoofed IP containing a message asking for statistics. This, in turn causes the server to return an enormous message to the victim. Attackers can also deliver massive packers using the exploitable DDoS amplification vectors, without the need to control a botnet of hacked devices.
These amplification attacks result in an amplification factor of 9000 X or more. As a comparison, NTP, a DDoS amplification vector known for its high amplification factor typically reaches an amplification factor of 557 X the original payload.

For more details: https://www.imperva.com/blog/2018/03/new-ddos-amplification-attack-vector-via-memcached-servers/


(Update: March 2, 8:00 AM EST)

Cybereason tracking memcached attacks
As per a blog post written by Brian Krebs, Cybereason found that hackers behind the memcached attacks were embedding ransom notes and payment addresses into the junk traffic sent via their attacks. A note demanding 50 XMR or Monero has been found by Akamai.

Cybereason says that hackers are attacking people with continuously repeated ransom notes. Messages are repeated until the file size reaches one megabyte, which is then requested from Memcache servers over and over. When files are bounced through multiple Memcached servers, the result is a massive amount of information, with a very simple script.

Source: https://krebsonsecurity.com/2018/03/powerful-new-ddos-method-adds-extortion/


(Update: March 1, 9:00 AM EST)

Attack on GitHub
A 1.35-terabit-per-second denial of service (DoS) attack has targeted GitHub on Wednesday (28th February, 2018). This attack counts as the most powerful denial of service barrage against a single site. Compared to the 2016 Mirai botnet attacks, the size of the DDoS attacks is much bigger.
The GitHub platform went down a number of times in the week, during the attack. However, the traffic was diverted to Akamai (a cloud computing company) to stop the attack.

How does amplification attack work?
Hackers used an attack technique called amplification attack in order to launch the DoS attack against GitHub. An attacker spoofs their IP address to look like the victim’s IP address. They send a forged request to a vulnerable memcached server — databases that are meant to speed up networks but lately are abused because many are inadvertently exposed to the public internet. That’s a problem receiving more attention in the aftermath of this attack.
Now, the server responds to the victim’s IP address with response packets that are much larger than the original queries. Thus, an attacker with 1-gigbit-per-second capacity can ultimately launch a 100-Gbps attack.

Source: https://www.cyberscoop.com/github-denial-of-service-amplification-attack/

Memcache reflection has older roots
A China-based researcher group has credited the concept of memcached reflection to a 2014 security conference talk. Then, Black Hat introduced a concept called “Memcached injection,” -- which by speculation gave way for these attacks.

What are memcached servers?
Memcached servers are used to allow applications that need access to data from external databaseto speed up page load time and deal with spikes in demands to cache part of the data in memory in order to access it much more quickly. These servers are used by various organizations to speed up page load time and deal with spikes in demand. Generally these servers are used internally (inaccessible through public internet) within a trusted network to improve internal application performance.
However, recent events indicate that memcachecd servers have been left exposed to the exploitation by anyone.


global ddos attacks
akamai platform
memcached injection

Posted on: June 06, 2018

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.