New DDoS Reflection-Attack Variant

This is worrisome:

DDoS vandals have long intensified their attacks by sending a small number of specially designed data packets to publicly available services. The services then unwittingly respond by sending a much larger number of unwanted packets to a target. The best known vectors for these DDoS amplification attacks are poorly secured domain name system resolution servers, which magnify volumes by as much as 50 fold, and network time protocol, which increases volumes by about 58 times.

On Tuesday, researchers reported attackers are abusing a previously obscure method that delivers attacks 51,000 times their original size, making it by far the biggest amplification method ever used in the wild. The vector this time is memcached, a database caching system for speeding up websites and networks. Over the past week, attackers have started abusing it to deliver DDoSes with volumes of 500 gigabits per second and bigger, DDoS mitigation service Arbor Networks reported in a blog post.

Cloudflare blog post. BoingBoing post.

EDITED TO ADD (3/9): Brian Krebs covered this.

Posted on March 7, 2018 at 6:23 AM • 13 Comments

Comments

Marc EspieMarch 7, 2018 8:06 AM

The very surprising thing is that people have open memcached servers in the wild...

yet another case where "secure by default" was not sufficiently hammered in.

David LeppikMarch 7, 2018 10:39 AM

Just as with open SNTP gateways in the 1990s, the solution is probably to ostracize networks which have these. This is probably a big enough threat that network providers will be willing to shut down misbehaving customers.


@Marc Espie:
It's not at all surprising to me. Memcached is a tool that novice sysadmins are told to reach for when things are too slow. As long as there are novices in the world, we'll have these sorts of problems.

x2bikeMarch 7, 2018 12:18 PM

@David Leppik
And as long as there are more seasoned folks telling the novices to go ahead and use memcached.

Sergey BabkinMarch 7, 2018 12:22 PM

@David Leppik: Memcached is really a database engine. How many of even the novice sysadmins expose their MySQL and Oracle database servers to the outside world? It's kind of surprising that they treat memcached differently. (On the other hand, maybe they do expose their SQL database servers to the outside world, just nobody managed to use them for the amplification yet).

neillMarch 7, 2018 12:36 PM

a little common sense could have prevented those attacks, too, alike the DNS attacks in 2016

if you have a 'fat pipe' and do not use bandwidth controls then please RTFM

who needs a gigabit UDP on 123???

(sorry me just angry now)

Chip MarshallMarch 7, 2018 4:32 PM

I don't think this is really all that much to be worried about. Unlike DNS reflection or services commonly found on home routers, memcache doesn't have many legitimate users across the Internet (it's usually a local-only service) so blocking it doesn't have any ill effects. The major hosting providers have already taken steps to mitigate this, and the size of attacks have decreased considerably in the past week.

justinacolmenaMarch 7, 2018 9:38 PM

The DNS structure on some domains perhaps could be simplified somewhat to mitigate this problem, but this is the general nature of publicly available services.

A small request needs a large amount of data to fulfill in comparison to the size of the request itself.

The size of a file is often quite a bit larger than the size of the name of the file. It's not practical to implement "ratios" like those sleazy FTP sites.

It's like the courthouse in that part of town: the civil section is clogged with frivolous lawsuits, and the criminal section is full of petty crimes being charges as felonies, while serious civil matters and serious crimes go unaddressed and unresolved.

A small number of people abuse any public service that is supposed to be available for the benefit of all, and they ruin it for everyone else.

Size-of-request vs. size-of-response is not the correct fundamental issue to address. Malicious human behavior is.

RatioMarch 7, 2018 11:32 PM

@justinacolmena,

Size-of-request vs. size-of-response is not the correct fundamental issue to address.

It’s the combination of amplification and reflection. (Amplification: request size vs. response size. Reflection: attacker makes the request, target gets the response.)

bobMarch 9, 2018 4:27 PM

@Sergey Babkin

The reason all the open oracle and mysql servers aren't as much of a threat, is that, by default, they don't all expose UDP ports, only TCP. The fact that memcached exposes UDP by default means it can be used better for amplification. However, memcached does NOT run on anything other than localhost by default either (i.e. no public ports), so all these thousands upon thousands of goofballs who have them exposed publicly have purposefully changed the configuration to enable such behavior. You really can't cure stupid. In retrospect, UDP probably shouldn't be on by default either, for anything ever again, just because of stupid.


@Chip Marshall

"memcached" is not written "memcache" without the "d"... and, as an aside, it is not pronounced like "mem-casht" either... it is pronounced like "mem-cash-dee"... the "d" suffix is not optional and it does not mean past tense, it is an abbreviation for "daemon" (which means, a service that's always running in the background, so the name literally means "memory cache service that's always running in the background")

You are correct that the known port that's not used for anything useful presents an easy way to mitigate this though. Unlike DNS, which is necessary for most things to function, so it can't simply be blocked all over the internet. But on the other hand, it makes me go, "I wonder what else might have open UDP..." and I'm sure I'm not the only one, so this isn't the end of this...


@justinacolmena

You are correct that the few abusers generally ruin everything for everyone else. I'm curious how you would propose to address human behavioral problems though... Everything I can think of is pretty draconian...


@George

Except it's a felony in the USA to use such a "kill switch"... You are not allowed to actively "attack back" anything that's attacking you, it's against the law to access a computer when you are not authorized. This may be a stupid law, but it's still there, and is often enforced even in ridiculous circumstances.

Clive RobinsonMarch 10, 2018 12:42 AM

@ Bob,

I'm curious how you would propose to address human behavioral problems though... Everything I can think of is pretty draconian...

Make them eligible for a Darwin Award?

Primary Entry Rule,

    The prime tenet of the Darwin Awards is that we are celebrating the self-removal of incompetent genetic material from the human race. Therefore, the potential winner must be deceased, or at least incapable of reproducing. The traditional method is death. However, an occasional rebel opts for sterilization, which allows them more time to enjoy the dubious notoriety of winning a Darwin Award.

A prime example of the first type,

http://www.darwinawards.com/darwin/darwin2018-02.html

A prime example of the second type,

http://www.darwinawards.com/darwin/darwin2017-05.html

But there are those who try and fail,

http://www.darwinawards.com/stupid/stupid2017-03.html

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.