Web security and caching giant Cloudflare has announced the detection of a flaw in the popular Memcached object caching system, a popular method of boosting database performance, which is being actively exploited to power distributed denial of service (DDoS) attacks.
An open source project, Memcached is designed to boost the performance of web sites and services by reducing load on the underlying database. Originally built by Brad Fitzpatrick to boost the performance of blogging service LiveJournal, Memcached's ability to share cache between servers has made it an extremely popular tool in web master's arsenals - but that very popularity means that when a security flaw is discovered it proves extremely serious, as with an amplification attack which has been found to be powering distributed denial of service (DDoS) attacks in the last few days.
'Obscure amplification attacks happen all the time. We often see "chargen" or "call of duty" packets hitting our servers,' explains Cloudflare's Marek Majkowski in the company's announcement of the flaw. 'A discovery of a new amplification vector though, allowing very great amplification, happens rarely. This new memcached UDP DDoS is definitely in this category.
'Launching such an attack is easy. First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the "get" request message with target Source IP. 15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we've seen a 15 byte request result in a 750kB response (that's a 51,200x amplification).'
While Cloudflare reports that it has seen 5,729 servers as sources of amplified DDoS traffic since discovering the attack vector, it warns that more is likely to come: Popular vulnerability search engine Shodan reports at least 88,000 publicly-accessible Memcached servers which could be used to carry out amplified DDoS attacks.
System administrators with Memcached servers are advised to disable UDP support altogether, or to at least limit it form listening to all IP address, and to use a firewall to prevent memcached from being publicly accessed. Majkowski, meanwhile, has another request of developers: 'Please please please: Stop using UDP. If you must, please don't enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing SOCK_DGRAM into your editor.
'We've been down this road so many times. DNS, NTP, Chargen, SSDP and now memcached. If you use UDP, you must always respond with strictly a smaller packet size then the request. Otherwise your protocol will be abused. Also remember that people do forget to set up a firewall. Be a nice citizen. Don't invent a UDP-based protocol that lacks authentication of any kind.'
September 18 2020 | 18:30