It doesn’t take cyber attackers long to pick up on an effective idea. Four days after a huge distributed denial of service (DDoS) attack on GitHub that fired record-breaking 1.3TB of data at the site leveraging misconfigured servers using the Memcached distributed caching system, a new record has been set.
–install a firewall that should provide access to Memcached servers only from the local network, says The Hacker News;
–Administrators should also consider avoiding external traffic to the ports used by Memcached (for example 11211 port used by default), and block or rate-limiting UDP (user datagram protocol) or completely disable UDP support if not in use;
--listen 127.0.0.1to listen only to localhost and
-U 0to disable UDP completely. By default Memcached listens on INADDR_ANY and runs with UDP support ENABLED. There’s documentation here: https://github.com/memcached/memcached/wiki/ConfiguringServer#udp
Cloudlfare says it’s easy to test if a server is vulnerable by running:
$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211 STAT pid 21357 STAT uptime 41557034 STAT time 1519734962 ...
If you see non-empty response (like the one above), your server is vulnerable;
–Cloudflare also urges developers to stop using UDP. If you must, don’t enable it by default.
Memcached is an open source high-performance, distributed memory object caching system originally intended for use in speeding up dynamic web applications by alleviating database load. It comes with some Linux distributions. Users reportedly include Wikipedia, WordPress, Flickr and Craigslist. Because memcached can use UDP, which is easily spoofable, it’s ideal as a reflector for a DDoS attack, notes Akamai. And misconfigured Memcached servers can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100-megabyte response.
On March 1 Akamai, Cloudflare and others announced the discovery of the 1.3TB attack against GitHub, as well as smaller attacks against other customers. “Because of its ability to create such massive attacks, it is likely that attackers will adopt Memcached reflection as a favorite tool rapidly,” Akami accurately predicted. “Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly.”
This isn’t a newly-discovered vulnerability, Arbor Networks noted in a blog last week with recommended mitigations. A presentation at BlackHat USA in 2010 pointed out there were many insecure Memcached deployments which could be used to retrieve and possibly alter sensitive databases of Internet-facing services such as Web servers, e-commerce sites.
Separately, Cisco Systems’ Talos threat intelligence blog noted last summer that in late 2016 it discovered Memcached had some memory vulnerabilities that could be exploited by attackers. Early in 2017 it scanned the Internet and found about 107,000 Memcached servers exposed to the Internet, including 2,400 in Canada.