On February 28, 2018, one of the largest software development platform used for version control websites named GitHub was hit by the record-breaking Ddos attack that peaked over 1.3Tbps.

The attack identified as a new type of amplification DDoS attack technique which was abusing the Memcached protocol to power up this so-called Memcached (pronounced as “mem-cash-dee”) DDoS attack.

Just a few days later, a security firm named Arbor networks based in Burlington, US revealed that one of their customers was also experiencing the same type of Memcached Ddos attack that peaked over massive 1.7Tbps, setting a whole new record in the DDoS history and that has happened just four days after the attack on GitHub. Since then the Memcached amplification attack has become a trending cyber-security topic.

Memcached is a free and open-source distributed memory caching system which is designed to speed up the performance of dynamic web applications by alleviating database load.

How does a Memcached DDoS attack work?

A Memcached DDoS attack is an amplification attack method where a botnet of zombie computers is not needed in order to generate a high volume of traffic necessary to bring down an intended network. In a Memcached DDoS attack, an attacker sends a request via TCP or UDP to the targeted Memcached servers on port 11211 and spoofs the IP address of the victim where the sent request consist a few bytes and the response can be tens of thousands of times bigger, resulting in an amplification attack.

According to the researchers, this amplification technique could allow attackers to obtain an amplification factor of 51,200. Since Memcached has been designed to be used without logins or passwords, attackers can also steal the sensitive cached user data remotely or host it without requiring any authentication.

Now, just a week ago, three different proof-of-concept (PoC) exploits code were also released online. This simply means that we will be seeing massive DDoS disruptions this year. And it already started.

One of the PoC exploits relies on Shodan search engine API to obtain the list of vulnerable Memcached servers via a Python script named “Memcrashed.py” where you can target these vulnerable servers to launch an attack. The Second exploit code is written in “C” and uses a static list of vulnerable Memcached servers. And the third PoC exploit is posted on Twitter by @the_ens.

In a recent founding by a Chinese DDoS monitoring company (DDoSMon) – Netlab found that the cybercriminals launched nearly 15,000 cyber-attacks against 7,131 unique targets in the last ten days and they have also published a blog post on the statistics about the victims and sources of Memcached attacks.

Netlab security researchers said that they had discovered Memcached DDoS technique last year in the Jun 2017 but since then not much of activities were found until February 24. Before February, 24, the day when Memcached DDoS attack footprints were initially spotted active, the daily average attacks were less than 50. And now between 1st and 8th March, the total number of attacks jumped to more than 13,000, with an average of 1,628 DDoS attack events per day.

Memcached DDoS Extortion via Ransom

As we mentioned it earlier in our blog post which we posted last year on: binding up DDoS capabilities together with a Ransomware variant is one of the new inventions from cyber attackers. Our predictions got true and hackers are now actively implementing modified DD4BC techniques to target organizations.

Recently, a widely-known security blogger and a (Mirai) DDoS victim Brian Kerbs mentioned in his latest blog post that the hackers are embedding a short ransom note and payment address into the junk traffic they’re sending to Memcached services. Cybereason, a Boston-based security company that’s been closely tracking these Memcached attacks revealed that it has seen Memcached attack payloads that consist of little more than a simple ransom note requesting payment of 50 XMR (Monero virtual currency) to be sent to a specific Monero account. In these attacks, Cybereason found, the payment request gets repeated until the file reaches approximately one megabyte in size.

Memcached DDoS Mitigation / Preventative Measures:

In order to mitigate the use of Memcached servers being exploited in these attacks, it is recommended that the following actions must be taken:

–           Remove Memcached servers from publically accessible networks

–           If servers must be on publically accessible networks, do not use the UDP listener (disabled by default on the latest version)

–           Implement source address validation, Best Practice Guide (BPG) 38 and 84

–           Implement authentication controls on any server responding to public requests

–           Block unauthorized ingress access to UDP Port 11211

–           Install the latest Memcached version which disables UDP protocol by default to prevent amplification/reflection DDoS attacks.

As organizations – large and small are knowingly/unknowingly adopting vulnerable technologies, it is important to think through the security requirements. One of the best possible options for them to protect their internet-facing applications is to deploy a comprehensive DDoS mitigation solution.

The post What is A Memcached DDoS attack and How to Mitigate It appeared first on haltDos Blog - WAF | DDoS Mitigation | Load Balancing.