Corero Reveals 'Kill-Switch' To Suppress Memcached DDoS Attacks

Network security firm Corero revealed that it discovered a “kill-switch” that can suppress memcached attacks in seconds. The company also revealed that memcached attacks can not only disrupt services, but also steal server data.

Memcached Kill-Switch

Corero is no stranger to DDoS amplification attacks. Last year, the company was among the first to warn about impending terabit per second (Tb/s) and even tens of Tb/s DDoS amplification attacks that we would be seeing soon. Over the past two weeks we’ve already seen DDoS attacks using the memcached amplification technique that keep breaking record after record in terms of how powerful they are.

Ashley Stephenson, CEO at Corero Network Security, said:

Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.

This week, Corero was able to discover an effective “kill-switch” against the memcached vulnerability that sends a command back to the attacker, thus suppressing the attack.

The “flush all” countermeasure that Corero tested to suppress memcached attacks invalidates a vulnerable server’s cache, including the malicious payload that was planted there by the attackers. According to the company, this solution is 100% effective against live attacking servers and doesn’t seem to cause any collateral damage.

There is one potential issue with this solution and that is that flushing out the servers’ caches means the memcached system no longer does what it’s supposed to do: cache web page content to improve loading speed. However, when a company’s servers are under a Tb/s DDoS attack, flushing out the cache once, until it can chase the attacker out and disable the UDP ports, seems like a small price to pay.

Memcached Attacks Stealing Data

When companies are under a memcached DDoS attack, having their service disrupted may be the least of their worries. According to Corero, the attacks should also be able to steal server data:

Any Memcached server that can be forced into participating in a DDoS attack towards the Internet can also be coaxed into divulging user data it has cached from its local network or host. This may include confidential database records, website customer information, emails, API data, Hadoop information and more.

The reason for this is that memcached doesn’t use any authentication mechanism, which is why the attacks exploiting it are possible in the first place. Any data that a web company adds to to a vulnerable memcached server can be stolen by the attackers because there is no login, password, or audit trail. Malicious actors can reveal the keys to the server’s data and retrieve that information from anywhere in the world.

Corero blamed this problem on operating systems and cloud service providers that offer memcached solutions without adequate security defaults. As we’ve seen with Amazon’s AWS service multiple times in the past, the wrong configuration can often lead to millions of peoples’ data being exposed to the public internet.

Stephenson added:

While this blatant lapse of security is relatively clear to the accomplished security practitioner or hacker, it is not known to the increasingly business-oriented, non-technical user who is clicking a button to set up a new server in the cloud. There are dozens of US-CERT CVE and obscure security warnings related to Memcached but few of them address the clearly obvious issue of leaving the front door open on the internet for anyone to come in and take your data.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.