The Hacker News — Cyber Security, Hacking, Technology News

Memcached reflections that recently fueled two most largest amplification DDoS attacks in the history have also helped other cybercriminals launch nearly 15,000 cyber attacks against 7,131 unique targets in last ten days, a new report revealed.

Chinese Qihoo 360's Netlab, whose global DDoS monitoring service 'DDosMon' initially spotted the Memcached-based DDoS attacks, has published a blog post detailing some new statistics about the victims and sources of these attacks.

The list of famous online services and websites which were hit by massive DDoS attacks since 24th February includes Google, Amazon, QQ.com, 360.com, PlayStation, OVH Hosting, VirusTotal, Comodo, GitHub (1.35 Tbps attack), Royal Bank, Minecraft and RockStar games, Avast, Kaspersky, PornHub, Epoch Times newspaper, and Pinterest.

Overall, the victims are mainly based in the United States, China, Hong Kong, South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.

According to Netlab researchers, the frequency of attacks since 24th February has increased dramatically, as listed below:

• Before 24th February, the day when Memcached-based DDoS attacks were first spotted, the daily average was less than 50 attacks.
• Between 24th and 28th February, when Memcached as a new amplification attack vector was not publicly disclosed and known to a small group of people, the attacks raised to an average of 372 attacks per day.
• Soon after the first public report came on 27th February, between 1st and 8th March, the total number of attacks jumped to 13,027, with an average of 1,628 DDoS attack events per day.

Netlab's 360 0kee team initially discovered the Memcached vulnerability in June 2017 and disclosed (presentation) it in November 2017 at a conference, but its researchers have hardly seen any Memcache DDoS attacks since then.

The maximum number of active vulnerable Memcached servers at a time that participated in the DRDoS attacks was 20,612.

I don't want to exaggerate this but expect hundreds of thousands of Memcached-based DDoS attacks in coming days, as hackers and researchers have now released multiple easy-to-execute exploits that could allow anyone to launch Memcached amplification attacks.

However, researchers have also discovered a 'kill-switch' technique that could help victims mitigate Memcached DDoS attacks efficiently.

Despite multiple warnings, over 12,000 vulnerable Memcached servers with UDP support enabled are still exposed on the Internet, which could fuel more cyber attacks.

Therefore, server administrators are strongly advised to install the latest Memcached 1.5.6 version which disables UDP protocol by default to prevent amplification/reflection DDoS attacks.

Security researchers have discovered a "kill switch" that could help companies protect their websites under massive DDoS attack launched using vulnerable Memcached servers.

Massive Memcached reflection DDoS attacks with an unprecedented amplification factor of 50,000 recently resulted in some of the largest DDoS attacks in history.

To make matter even worse, someone released proof-of-concept (PoC) exploit code for Memcached amplification attack yesterday, making it easier for even script kiddies to launch massive cyber attacks.

Despite multiple warnings, more than 12,000 vulnerable Memcached servers with UDP support enabled are still accessible on the Internet, which could fuel more cyber attacks soon.

However, the good news is that researchers from Corero Network Security found a technique using which DDoS victims can send back a simple command, i.e., "shutdown\r\n", or "flush_all\r\n", in a loop to the attacking Memcached servers in order to prevent amplification.

Where, the flush_all command simply flush the content (all keys and their values) stored in the cache, without restarting the Memcached server.

The company said its kill-switch has efficiently been tested on live attacking Memcached servers and found to be 100% effective, and has already been disclosed to national security agencies.

Based on this finding, security researcher Amir Khashayar Mohammadi—who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors—has created and released a simple DDoS mitigation tool, dubbed Memfixed, that sends flush or shutdown commands to the vulnerable Memcached servers.

Written in Python, Memfixed automatically obtains a list of vulnerable Memcached servers using Shodan API to trigger shutdown/flush commands.

Stealing Sensitive Data From Memcached Servers

What's more? Corero Researchers also claimed that the Memcached vulnerability (CVE-2018-1000115) is more extensive than initially reported, and can be exploited beyond leveraging it for a DDoS attack.

Without revealing any technical detail, the company said the Memcached vulnerability could also be exploited by remote attackers to steal or modify data from the vulnerable Memcached servers by issuing a simple debug command.

Dynamic database-driven websites use a Memcached application to improve their performance by caching data and objects in the RAM.

Since Memcached has been designed to be used without logins or passwords, attackers can remotely steal sensitive user data it has cached from its local network or host without requiring any authentication.

The data may include confidential database records, emails, website customer information, API data, Hadoop information and more.

"By using a simple debug command, hackers can reveal the 'keys' to your data and retrieve the owner's data from the other side of the world," the company said. "Additionally, it is also possible to maliciously modify the data and re-insert it into the cache without the knowledge of the Memcached owner."

Server administrators are strongly advised to install the latest Memcached 1.5.6 version which disables UDP protocol by default to prevent amplification/reflection DDoS attacks.

Two separate proofs-of-concept (PoC) exploit code for Memcached amplification attack have been released online that could allow even script-kiddies to launch massive DDoS attacks using UDP reflections easily.

The first DDoS tool is written in C programming language and works with a pre-compiled list of vulnerable Memcached servers.

Bonus—its description already includes a list of nearly 17,000 potential vulnerable Memcached servers left exposed on the Internet.

Whereas, the second Memcached DDoS attack tool is written in Python that uses Shodan search engine API to obtain a fresh list of vulnerable Memcached servers and then sends spoofed source UDP packets to each server.

Last week we saw two record-breaking DDoS attacks—1.35 Tbps hit Github and 1.7 Tbps attack against an unnamed US-based company—which were carried out using a technique called amplification/reflection attack.

For those unaware, Memcached-based amplification/reflection attack amplifies bandwidth of the DDoS attacks by a factor of 51,000 by exploiting thousands of misconfigured Memcached servers left exposed on the Internet.

Memcached is a popular open source distributed memory caching system, which came into news earlier last week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.

A few bytes of the request sent to the vulnerable Memcached server can trigger tens of thousands of times bigger response against the targeted IP address, resulting in a powerful DDoS attack.
For a detailed explanation on how Memcached amplification attack works, you can head on to our previous article.

Since last week when Memcached has been revealed as a new amplification/reflection attack vector, some hacking groups started exploiting unsecured Memcached servers.

But now the situation will get worse with the release of PoC exploit code, allowing anyone to launch massive DDoS attacks, and will not come under control until the last vulnerable Memcached server is patched, or firewalled on port 11211, or completely taken offline.

Moreover, cybercriminals groups have already started weaponizing this new DDoS technique to threaten big websites for extorting money.

Following last week's DDoS attack on GitHub, Akamai reported its customers received extortion messages delivered alongside the typically "junk-filled" attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.

Reflection/amplification attacks are not new. Attackers have previously used this DDoS attack technique to exploit flaws in DNS, NTP, SNMP, SSDP, Chargen and other protocols in order to maximize the scale of their cyber attacks.

To mitigate the attack and prevent Memcached servers from being abused as reflectors, the best option is to bind Memcached to a local interface only or entirely disable UDP support if not in use.

The bar has been raised.

As more amplified attacks were expected following the record-breaking 1.35 Tbps Github DDoS attack, someone has just set a new record after only four days — 1.7 Tbps DDoS attack.

Network security and monitoring company Arbor Networks claims that its ATLAS global traffic and DDoS threat data system have recorded a 1.7Tbps reflection/amplification attack against one of its unnamed US-based customer's website.

Similar to the last week's DDoS attack on GitHub, the massive bandwidth of the latest attack was amplified by a factor of 51,000 using thousands of misconfigured Memcached servers exposed on the Internet.

Memcached, a popular open source distributed memory caching system, came into news earlier last week when researchers detailed how attackers could abuse it to launch amplification DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.

A few bytes of the request sent to the vulnerable server can trigger tens of thousands of times bigger response against the targeted IP address, resulting in a powerful DDoS attack.
Meanwhile, researchers also noted that cybercriminals have started weaponizing the DDoS attacks through vulnerable memcached servers to extort money from victims.

Following last week's 1.3 Tbps DDoS attack against GitHub, Akamai said its customers have been receiving extortion messages delivered alongside the typically "junk-filled" attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.

"While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit," Arbor Networks said in a blog post.

Reflection/amplification attacks are not new. Attackers have previously used reflection/amplification DDoS attack techniques to exploit flaws in DNS, NTP, SNMP, SSDP, CLDAP, Chargen and other protocols in an attempt to maximize the scale of their cyber attacks.

However, the latest attack vector involves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch potentially more massive attacks soon against other targets. So expect to see more such attacks in coming days.

To prevent Memcached servers from being abused as reflectors, we urge users to install a firewall that should provide access to memcached servers only from the local network.

Administrators should also consider avoiding external traffic to the ports used by memcached (for example 11211 port used by default), and block or rate-limiting UDP or completely disable UDP support if not in use.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!