Threat Management, Network Security, Network Security

‘Kill switch’ counters the memcached vulnerability

A newly discovered “kill switch” effectively counters the memcached vulnerability that led recently to massive DDoS attacks at specific targets including national security agencies, reports Corero Network Security.

The open-source memory system is more vulnerable than originally thought and, according to Corero researchers, represents potentially a playground for attackers to pilfer or alter data from 95,000 servers worldwide on TCP or UDP port 11211 from the Internet. A global list of vulnerable servers is available here. Such an attack overwhelmed last week GitHub, among other targets, and flooded service providers to degrade service availability.

The countermeasure benignly “suppresses” a memcached DDoS attack threat, while leaving compromised servers online, says Corero, which disclosed the fix to national security agencies, as well as its customers.

“The ‘flush­_all' command has always been available in memcached,” explains Corero CEO Ashley Stephenson. “What Corero discovered was the possibility of using to defeat this DDoS exploit,” he adds.

Corero published the “kill switch” information to allow anyone to take advantage of the technique, a new defense tool in the real-time DDoS protection, Marlborough, Mass.-based security firm's toolbox.

A generic term, kill switch describes the use of the already available command, but in this context, quenches a DDoS attack. Corero says its Smartwall can issue the kill switch command in response to an incoming memcached attack.

Coreo researchers tested the quench packet on live servers, and the fix appears to be 100 percent effective without causing any collateral damage.

Memcached, which stores data in RAM to speed up access times, was not originally designed to be accessible from the Internet. Access does not require authentication. The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic.

Such servers are typically connected to higher bandwidth networks, unlike vulnerabilities found in relatively lower bandwidth IoT (Internet of Things) attacks. As a result of high amplification factors, recent attacks using memcached exploits have delivered crippling data avalanches. By using a simple debug command, hackers from anywhere in the world can reveal the keys to data and retrieve whatever coveted database files that may also be maliciously modified and reinserted into the cache without the knowledge of the memcached server owner.

“Unless operators of memcached servers take action (i.e., deploy the kill switch), these attacks will continue,” Stephenson predicts. "Ironically, the memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.