THE MEMCACHED REFLECTION ATTACK
The deluged DDoS attack knocked offline the GitHub on Wednesday, February 28, 2018. At the peak, GitHub platform received 1.35 Tbps via 126.9 million packets per second. The attackers weaponized Memcached servers to amplify the DDoS attack. The incident persisted for fewer than 10 minutes and originated from multitude distinctive endpoints. GitHub automatically called assistance from Akamai Prolexic, which rerouted all the traffic in and out of GitHub. Days after the incident, the same technique has been used to attack against one of unnamed US-based customer's website, which reached 1.7 Tbps.
DDoS attacks are becoming a significant threat to active servers today. It makes an attempt to overwhelm a target server, service or network with fake traffic. The DDoS attack never attempts to crack your security, rather they flood the traffic and make website and servers unavailable to the legitimate users. The latest methodology to amplify the DDoS attack is misconfigured Memcached servers.
Memcached is an easily deployable general-purpose distributed memory caching system intended for use in speeding up dynamic web applications. The Memcached cashing system works by temporarily storing the retrieved information from the database in memory. The consequent request for an equivalent information is treated quickly without disturbing backend database. The major part of the issue is that Memcached servers have the UDP port open by default. UDP protocol does not require a source address in its headers, therefore it is vulnerable to source address spoofing. Since the matter has been assigned the identifier CVE-2018-1000115.
IDEA BEHIND THE ATTACK The attack launching behind the amplification strike is easy. The attacker sends forged requests to a vulnerable UDP server. The recipients of those requests not knowing the request are forged. It then sends the response back to victim's network. The issue occurs when thousands of responses are delivered to the target host. It will crash the target server, service or network.
CHECK WE ARE SAFE We can check if our server is vulnerable by the following ways:
1. Run the subsequent command.
$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211
STAT pid 8269
STAT uptime 289
STAT time 1524727053
If the output is a non-empty response (like the one above), our server is vulnerable.
2. Telnet to the port 11211 of your server from outside.
$ telnet IP/Hostname 11211
If the response shows "Connected to IP/Hostname", our server is vulnerable.
SECURING MEMCACHED We can secure the Memcached servers by blocking the UDP port 11211 and adjusting the Memcached configuration parameters.
1. Use firewall policy to block the UDP port 11211, and ensure that the Memcached server is not accessible from outside.
2. By adjusting the service parameters in the Memcached configuration file.
$ vi /etc/sysconfig/memcached
We need to add the option "-l 127.0.0.1" to bind Memcached to the local network interface.
Also, disable the UDP listener by adding the option "-U 0 ".