- \n
- 1 What is Memcached?<\/a><\/li>\n
- 2 Memcached distribution<\/a><\/li>\n
- 3 How does Memcached form a DRDoS attack?<\/a><\/li>\n
- 4 Memcached attack characteristics<\/a><\/li>\n<\/ul>\n<\/li>\n
- 3. Memcached Attack Defense Reinforcement Recommendations<\/a>\n
- \n
- 1 Memcached system self-examination recommendations<\/a><\/li>\n
- 2 Memcached attack traffic cleaning<\/a><\/li>\n
- 3 Memcached system protection and reinforcement<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
1.Event Review<\/strong><\/p>\n
According to China Telecom DamDDoS, attack monitoring data show that in as short as 5 days – from Monday to Friday (February 26 to March 2 at 06:00), there have been 79 cases using the Memcached protocol amplification attacks around the world.\u00a0The total daily attack traffic reached 419TBytes.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/111-300x197.png\")
<\/p>\nMemcached Reflection Amplification DDoS Attacks – Day<\/em><\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/112-300x138.png\")
<\/p>\nMemcached Reflection Amplification DDoS Attacks – Total Traffic per Day<\/em><\/p>\n
Among them, there are 68 attacks targeting Memcached in China, with attacks being frequent seen in Jiangsu and Zhejiang provinces.\u00a0The maximum single attack against China peaks 505Gbps.\u00a0The longest attack took place on March 1, lasting 1.2 hours, with a total attack traffic of 103.8TBytes.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/113-300x190.png\")
<\/p>\nMemcached Reflection Amplification DDoS Attacks in Various Provinces in China<\/em><\/p>\n
In terms of impact, all Internet businesses may become targets of Memcached DRDoS attacks.\u00a0Broadband service providers suffer from large traffic attacks, resulting in the outbound bandwidth fully occupied and the normal business not accessible, on the other hand, enterprise internal Memcached systems may be used by criminals and become an accomplice.\u00a0We urge customers in all regions and industries to exercise vigilance and beware of Memcached Reflection attacks that directly impact the server or use the attacks as a cover-up to carry out other types of attacks along to further jeopardize information security.<\/p>\n
2.Attack Analysis<\/strong><\/p>\n
2.1 What is Memcached?<\/p>\n
Memcached is a high-performance caching system for open source distributed memory object and is mainly used to improve the scalability of web applications. It can effectively solve many problems of big data caches and is widely used worldwide.\u00a0Memcached stores small pieces of data based on the key-value of the memory and uses the data to complete database calls, API calls, or page renderings.\u00a0Attackers make use of the key-value function to create a large flow Memcached reflection attacks.\u00a0This will be described later in details.<\/p>\n
2.2 Memcached distribution<\/p>\n
According to the latest statistics, a total of 3,790 Memcached servers are being utilized worldwide to participate in these Memcached reflection amplification attacks.\u00a0These sources of reflection are distributed across 96 countries around the world.\u00a0Among them, the United States accounted for 1\/4 of the world total.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/114-300x238.png\")
<\/a><\/p>\nDistributed Memcached servers in China ranked second, accounting for 12.7%.\u00a0The share of provinces in China is as follows, Guangdong, Beijing and Zhejiang are TOP3.<\/p>\n
The statistics of the NSFOCUS Network Threat Intelligence (NTI) show that there are 104,506 Memcached servers worldwide at risk of being utilized.\u00a0The distribution is as follows:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/5-300x150.jpg\")
<\/a><\/p>\nSource: NSFOCUS Threat Intelligence Center<\/em><\/p>\n
Geographically, Memcached servers are the most available in the United States, followed by China.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/115-300x165.png\")
<\/a><\/p>\nSource: NSFOCUS Threat Intelligence Center<\/em><\/p>\n
These active Memcached reflectors provide a powerful tool for building super volume DRDoS attacks.\u00a0If no counter measures are taken in time, the number of attacks based on Memcached is expected to continue to increase, with serious consequences.<\/p>\n
2.3 How does Memcached form a DRDoS attack?<\/p>\n
The construction of Memcached reflection attacks is divided into the following three steps:<\/p>\n
1.Collect reflector IP<\/p>\n
Find the open Memcached system through NTI \/ Shodan and other search engines and further obtain the system IP;<\/p>\n
2. Configure the reflector<\/p>\n
Make use of the open Memcached system as a reflector and modify the key-value configuration to achieve large storage capacity for the purpose of constructing a reflection amplification attack;<\/p>\n
3.\u00a0Launch a refletion attack<\/p>\n
The attacker fakes his IP address into the target address and sends a request to the Memcached reflector to read the information Memcached stored in the key-value.\u00a0Memcached responds to the forged source IP upon receipt of the request, creating a reflection.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/116-300x297.png\")
<\/a><\/p>\nMemcached Reflection Attack Diagram<\/em><\/p>\n
When a large number of Memcacheds are utilized simultaneously and reply with the same forged source IP, a heavy traffic DRDoS attack against this forgery source IP(victim) is easily formed.<\/p>\n
2.4 Memcached attack characteristics<\/p>\n
DRDoS (Distributed Reflective Denial-of-Service) is one type of DDoS attacks.\u00a0NSFOCUS has featured in the DDoS Trend Report published in 2015, 2016 and 2017 (report download link\u00a0http:\/\/www.nsfocus.com.cn\/research\/report_3.html<\/a>\u00a0).\u00a0The report clearly points out the popularity and level of harm of reflection attacks through actual use cases and data statistics. The outbreak of Memcached reflection attacks further shows that the heat of DRDoS attacks will continue.<\/p>\n
Prior to this, the major types of DRDoS security vendors detected were mainly SSDP reflection, DNS reflection, NTP reflection.\u00a0The following table (from US-Cert) lists the magnifications for various types of reflection attacks with more details:<\/p>\n
\n\n
\n Protocol<\/strong><\/td>\n Bandwidth Amplification Factor<\/strong><\/td>\n Vulnerable Command<\/strong><\/td>\n<\/tr>\n \n DNS<\/td>\n 28 to 54<\/td>\n see: TA13-088A [4]<\/td>\n<\/tr>\n \n NTP<\/td>\n 556.9<\/td>\n see: TA14-013A [5]<\/td>\n<\/tr>\n \n SNMPv2<\/td>\n 6.3<\/td>\n GetBulk request<\/td>\n<\/tr>\n \n NetBIOS<\/td>\n 3.8<\/td>\n Name resolution<\/td>\n<\/tr>\n \n SSDP<\/td>\n 30.8<\/td>\n SEARCH request<\/td>\n<\/tr>\n \n CharGEN<\/td>\n 358.8<\/td>\n Character generation request<\/td>\n<\/tr>\n \n QOTD<\/td>\n 140.3<\/td>\n Quote request<\/td>\n<\/tr>\n \n BitTorrent<\/td>\n 3.8<\/td>\n File search<\/td>\n<\/tr>\n \n Kad<\/td>\n 16.3<\/td>\n Peer list exchange<\/td>\n<\/tr>\n \n Quake Network Protocol<\/td>\n 63.9<\/td>\n Server info exchange<\/td>\n<\/tr>\n \n Steam Protocol<\/td>\n 5.5<\/td>\n Server info exchange<\/td>\n<\/tr>\n \n Multicast DNS (mDNS)<\/td>\n 2 to 10<\/td>\n Unicast query<\/td>\n<\/tr>\n \n RIPv1<\/td>\n 131.24<\/td>\n Malformed request<\/td>\n<\/tr>\n \n Portmap (RPCbind)<\/td>\n 7 to 28<\/td>\n Malformed request<\/td>\n<\/tr>\n \n LDAP<\/td>\n 46 to 55<\/td>\n Malformed request [6]<\/td>\n<\/tr>\n \n CLDAP<\/td>\n 56 to 70<\/td>\n –<\/td>\n<\/tr>\n \n TFTP<\/td>\n 60<\/td>\n –<\/td>\n<\/tr>\n \n Memcache<\/strong><\/td>\n 10,000 to 51,000<\/strong><\/td>\n –<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Memcached reflection attacks are much more damaging than just other reflection attacks in terms of magnification, and data provided by US-Cert show that it achieves an astonishing 51,000x magnification.<\/p>\n
How does Memcached achieve this magnification while compared with other reflection attacks?\u00a0One of the important reasons is the key-value function of Memcached.\u00a0As mentioned earlier, the role of key-value is to determine the size of storage capacity, under normal circumstances the value of key-value is usually not more than a few kilobytes.\u00a0When Memcached is exploited by an attacker as a reflector, the value of key-value can be modified to more than 1 million bytes.<\/p>\n
We replicated the whole process of the attack in our laboratory.<\/p>\n
The first step, use the command to modify the key-value parameter on Memcached to raise the magnification.<\/p>\n
send = “set t 0 900 1048501” + “\\ r \\ n” + ‘a’ * 1048501 + “\\ r \\ n”<\/p>\n
socket.sendall (send)<\/p>\n
As tested, the maximum value of key-value is 1048501.<\/p>\n
The second step through the get command to read Memcached storage information, and get back to the target IP.<\/p>\n
get = “\\ x00 \\ x00 \\ x00 \\ x00 \\ x00 \\ x01 \\ x00 \\ x00get t \\ r \\ n”<\/p>\n
socket.sendto (get, (host, 11211))<\/p>\n
The formed attack message is as follows:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/8-300x111.jpg\")
<\/a><\/p>\nThe minimum size of request packets that trigger a Memcached reflection attack is 15 bytes, including 8 bytes (RFC defined) + 3 bytes (get) +1 (space) + 1 byte minimum (key name) +2 byte (\\ r \\ n), however the request data returns 105 million bytes, in theory, can be enlarged by as close to as 70,000 times.\u00a0The powerfulness of the attack\u2019s amplification capability forms a sharp contrast with other types of DRDoS attacks.<\/p>\n
3.Memcached DDoS Attack Defense Reinforcement Recommendations<\/strong><\/p>\n
3.1 Memcached system self-examination recommendations<\/p>\n
The formation of the attack provides us with a good sample of early warning, security products can detect the key-value configuration of the Memcached system before it is exploited as an attack source to intercept.\u00a0The detection process is as follows:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/118-300x297.png\")
<\/a><\/p>\n(1) Check the TCP or UDP packets whose destination port is 11211 (ensure that it is a Memcached server).<\/p>\n
(2) Check whether the message comes with a \u201cset\u201d command (set the command format, see Appendix), if so (3), or end the test;<\/p>\n
(3) Check whether the value of the bytes field (the 1048501 marked in the figure below) after the set command exceeds the threshold value. If yes, you can suspect that the packet is abnormal.<\/p>\n
- 2 Memcached attack traffic cleaning<\/a><\/li>\n
- 2 Memcached distribution<\/a><\/li>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/10-300x110.jpg\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/03\/11.jpg\")
<\/a><\/p>\n