Memcached amplification DDoS: a 2018 threat
0 likes150 views
This document summarizes the memcached amplification attack vulnerability. Memcached is an in-memory caching system that listens on port 11211 by default. It does not require authentication. An attacker can send a small request to a vulnerable memcached server to retrieve a large value multiple times, amplifying the response data sent. This allows the server to be used in reflection DDoS attacks. The theoretical amplification factor is millions but in practice is around 9000-10000x, making it a potent attack vector. Mitigation involves filtering port 11211/udp at the network level. Current memcached attacks range from 200-500Gbps but could reach 1.5Tbps.
![import memcache
m = memcache.Client([
‘reflector.example.com:11211’
])
m.set(’a’, value)
– to inject a value of an
arbitrary size under key “a”](https://image.slidesharecdn.com/memcachedapricot-180307005622/85/Memcached-amplification-DDoS-a-2018-threat-10-320.jpg)
Memcached amplification DDoS: a 2018 threat
- 1. Memcached amplification Artyom Gavrichenkov <ag@qrator.net>
- 2. 2 300 Mbps 30 Gbps Typical amplification attack A vulnerable server • Most servers on the Internet send more data to a client than they receive • UDP-based servers generally do not verify the source IP address • This allows for amplification DDoS
- 3. • NTP • DNS • SNMP • SSDP • ICMP • NetBIOS 3 • RIPv1 • PORTMAP • CHARGEN • QOTD • Quake • … Vulnerable protocols
- 6. memcached •A fast in-memory cache •Heavily used in Web development
- 7. memcached •A fast in-memory cache •Heavily used in Web development •Listens on all interfaces, port 11211, by default
- 8. memcached •Basic ASCII protocol doesn’t do authentication •2014, Blackhat USA: “An attacker can inject arbitrary data into memory”
- 9. memcached •Basic ASCII protocol doesn’t do authentication •2014, Blackhat USA: “An attacker can inject arbitrary data into memory” •2017, Power of Community: “An attacker can send data from memory to a third party via spoofing victim’s IP address”
- 10. import memcache m = memcache.Client([ ‘reflector.example.com:11211’ ]) m.set(’a’, value) – to inject a value of an arbitrary size under key “a”
- 11. print ’0x01000x0100gets arn’ – to retrieve a value
- 12. print ’0x01000x0100gets a a a a arn’ – to retrieve a value 5 times
- 13. print ’0x01000x0100gets a a a a arn’ – to retrieve a value 5 times. Or 10 times. Or a hundred.
- 14. memcached •Theoretical amplification factor is millions
- 15. memcached •Theoretical amplification factor is billions •Fortunately, all the packets aren’t sent at once •In practice, the amplification factor is 9000-10000 •Still 20 times the NTP Amplification does. •Current incidents range between 200 and 500 Gbps •Up to 1,5 Tbps can be expected
- 16. Mitigation •Again, BCP 38. •Make sure you don’t have open memcached port 11211/udp on your network •Use firewalls or FlowSpec to filter 11211/udp
- 17. Mitigation •Again, BCP 38. •Make sure you don’t have open memcached port 11211/udp on your network •Use firewalls or FlowSpec to filter 11211/udp •More news as events warrant
- 18. Q&A mailto: Artyom Gavrichenkov <ag@qrator.net> https://medium.com/@qratorlabs/