Memcached Flaw Kill Switch Could Foil DDoS-ers

Researchers claim to have discovered a way of mitigating a vulnerability in Memcached servers which is responsible for two of the biggest DDoS attacks ever recorded.

Corero Network Security said it has disclosed the new “kill switch” to the authorities in a bid to lock down the flaw worldwide and prevent more damaging attacks.

The Memcached open source memory caching system is found on over 95,000 servers worldwide, where it caches frequently used web pages to boost access times and performance.

However, it was never meant to be internet accessible, so is not protected by any authentication mechanism. This means hackers can generate spoof requests to amplify DDoS attacks by up to 50,000 times, according to Corero.

This led to a 1.35Tbps attack on GitHub last week and an even bigger one of 1.7Tbps on an unnamed US service provider which Arbor claims to have defended against.

Corero said the same vulnerability can also be exploited “via a simple debug command” to steal any data cached on a targeted server, including confidential database records, website customer information, emails, API data, Hadoop information and more.

Hackers could also maliciously modify the data and reinsert it into the cache without the owner’s knowledge, the firm explained.

The newly discovered “flush_all” counter-measure sends a command to an attacking server to suppress current DDoS exploitation, and invalidates the cache including any potential malicious payload, Corero said.

It has apparently been tested on live attacking servers and found to be 100% effective with no collateral damage caused.

“Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices,” said Corero Network Security CEO, Ashley Stephenson.

“In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.”

What’s Hot on Infosecurity Magazine?