'Kill Switch' to Mitigate Memcached DDoS Attacks — Flush 'Em All

Security researchers have discovered a “kill switch” that could help companies protect their websites under massive DDoS attack launched using vulnerable Memcached servers.

Massive Memcached reflection DDoS attacks with an unprecedented amplification factor of 50,000 recently resulted in some of the largest DDoS attacks in history.

To make matter even worse, someone released proof-of-concept (PoC) exploit code for Memcached amplification attack yesterday, making it easier for even script kiddies to launch massive cyber attacks.

Despite multiple warnings, more than 12,000 vulnerable Memcached servers with UDP support enabled are still accessible on the Internet, which could fuel more cyber attacks soon.

However, the good news is that researchers from Corero Network Security found a technique using which DDoS victims can send back a simple command, i.e., “shutdown\r\n”, or “flush_all\r\n”, in a loop to the attacking Memcached servers in order to prevent amplification.

Where, the flush_all command simply flush the content (all keys and their values) stored in the cache, without restarting the Memcached server.

The company said its kill-switch has efficiently been tested on live attacking Memcached servers and found to be 100% effective, and has already been disclosed to national security agencies.

Based on this finding, security researcher Amir Khashayar Mohammadi—who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors—has created and released a simple DDoS mitigation tool, dubbed Memfixed, that sends flush or shutdown commands to the vulnerable Memcached servers.

Written in Python, Memfixed automatically obtains a list of vulnerable Memcached servers using Shodan API to trigger shutdown/flush commands.

Stealing Sensitive Data From Memcached Servers

What’s more? Corero Researchers also claimed that the Memcached vulnerability (CVE-2018-1000115) is more extensive than initially reported, and can be exploited beyond leveraging it for a DDoS attack.

Without revealing any technical detail, the company said the Memcached vulnerability could also be exploited by remote attackers to steal or modify data from the vulnerable Memcached servers by issuing a simple debug command.

Dynamic database-driven websites use a Memcached application to improve their performance by caching data and objects in the RAM.

Since Memcached has been designed to be used without logins or passwords, attackers can remotely steal sensitive user data it has cached from its local network or host without requiring any authentication.

The data may include confidential database records, emails, website customer information, API data, Hadoop information and more.

> “By using a simple debug command, hackers can reveal the ‘keys’ to your data and retrieve the owner’s data from the other side of the world,” the company said. “Additionally, it is also possible to maliciously modify the data and re-insert it into the cache without the knowledge of the Memcached owner.”

Server administrators are strongly advised to install the latest Memcached 1.5.6 version which disables UDP protocol by default to prevent amplification/reflection DDoS attacks.