Memcached DDoS: This 'kill switch' can stop attacks dead in their tracks

Researchers find a technique to contain the memcached amplification attacks seen over the past week.
Written by Liam Tung, Contributing Writer

The 1Tbps-plus memcached amplification attacks that hammered GitHub and other networks over the past week can be disarmed with a "practical kill switch", according to DDoS protection firm Corero.

The potency of the attacks is due to memcached servers amplifying a target's spoofed IP address requests by a factor of 50,000.

The attackers are sending forged UDP protocol packets to UDP-enabled memcached servers that are open on the internet, which in response send many more UDP packets to the target.

Corero says its kill switch sends a 'flush all' command to the attacking server that supresses the flood of traffic by invalidating a vulnerable memcached server's cache.

The company says it's tested it on real attacking servers and that it "appears to be 100 percent effective".

The memcached issue has now been assigned the identifier CVE-2018-1000115, which identifies memcached version 1.5.5 as having an "Insufficient control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood".

Memcached servers should be updated to version 1.5.6, released by memcached developers in the wake of the amplification attacks. The updated version disables the UDP protocol by default, meaning it needs to be explicitly enabled.

This update should address the emergence of a pre-configured memcached attack tool posted on GitHub and Pastebin that allows anyone to send forged UDP packets to several thousand memcached servers identified through the Shodan search engine.

Download now: Incident response policy

Public alarm over the massive DDoS attacks appears to have had a positive effect on efforts to shutdown memcached abuse.

Before GitHub's attack, Rapid7's Project Sonar internet scanner detected nearly 140,000 open memcached devices. However, as of March 1, this has dropped to 58,000. Exposed memcached servers with UDP enabled have also fallen from 18,000 on March 1 to under 12,000 on March 5.

However, Rapid7 notes there thousands of exposed memcached servers running various versions released over the past decade that are "riddled" with vulnerabilities, including remote code execution flaws that could allow them to be used as part of a botnet.

Previous and related coverage

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Memcached denial-of-service attacks are getting bigger by the day, according to new analysis.

Memcached DDoS: The biggest, baddest denial of service attacker yet

Distributed denial of service attacks just got turned up to 11 with Memcrashed, an internet assault that can slam a website with over a terabyte of bad traffic.

GitHub hit with the largest DDoS attack ever seen

DDoS attackers have found a new way of magnifying their attacks, with experts warning that bigger attacks are likely.

GitHub hit with massive 1.35 Tbps DDoS attack, could be world's largest(TechRepublic)

The attack was carried out through the abuse of memcached instances, taking the site down multiple times.

Editorial standards