Malware Writers Use Memcached Servers to Amplify DDoS Attacks
Insider threats aren’t just malicious attacks on your network. Some risks are from poorly configured servers. Whether it’s negligent IT configurations or improperly updated critical software, these threats can do massive damage. The risks associated with these threats include data leaks and your servers being used in a botnet to attack other sites. A recent release of an exploit on memcached servers has allowed attackers to amplify their DDoS attacks using insecure servers. Since many sites use memcached for site caching, it’s an attack that has led to a record-breaking 1.7 Tbps attack.
Your Server Could Be Used to Damage Other Sites
Most businesses have IT people that defend against threats (both inside and outside the network), but many attackers are only using business resources to damage another brand. It could be considered corporate espionage, but overall the issue is that your business server is hacked and used as part of a massive botnet that interrupts service for another business. The repercussions could cost you money in repairing damage and possible lawsuits.
Memcached is an open-source memory caching application that many hosting providers offer on their servers. It caches content in memory, which offers an extremely fast way to deliver content to users. It’s especially useful for sites to speed up performance when they see a loss in engagement due to high server load times.
Just like any other software that offers applications to the public, memcached must be configured properly or it could cause issues. This attack uses a search to find memcached servers with 11211 port open and sends spoofed “from” IP addresses in the packet headers. This tells the server to reply to a particular target and causes mass DDoS capabilities. In the last attack, the memcached exploit allowed the attacker to amplify DDoS attacks by 51,000 times, which is why this attack has officially been the biggest DDoS attack on the Internet to date.
Two Developed Applications
Malware writers have already taken advantage of the exploit. One of them, called Memcrashed, allows a user to enter an IP as a target, and the software does the rest. Memcrashed does a Shodan search for open 11211 ports and performs a DDoS attack on the entered IP.
The other application is named memcached-PoC (Proof of Concept) and the developer posted the code behind the application. The code is a proof of concept that shows researchers how the exploit works, which then gives memcached developers a better way to defend against these attacks and patch the software with a critical update. It’s up to server administrators, however, to close port 11211 and stop attackers until memcached releases a patch. Another option is to disable UDP, which is the protocol used to create the DDoS flood of traffic.
Memcrashed has delays set into the source code to stop devastating blows to the Internet. The exploit writer meant to bring attention to the problem instead of using it to crash site services. According to researchers, approximately 93,000 servers are open to this exploit, which could serve to bring down even the most secure application.
These types of threats come from outside sources, but they remain a problem when IT people who oversee configurations and server software don’t properly manage secure settings. Whether it’s patching server software quickly or misconfiguring server resources, successful exploits take advantage of vulnerabilities opened by administrators. When managing servers open to outside traffic, always perform penetration testing on servers and the application to ensure its security.
For more information on insider threats and what you can do to protect your network, see GateKeeper.
See GateKeeper proximity access control in action.
Take a self-guided tour of how your proximity-based access control can work.