INFRA
INFRA
INFRA
Memcached vulnerability ‘kill switch’ may put an end to record attacks
A newly discovered “kill switch” may be able to address distributed denial-of-service attacks that use a vulnerability in the Memcached memory caching system to amplify data volume, the same vulnerability used in a number of record DDoS attacks over the last two weeks.
Corero Network Security Inc. made the claim Wednesday, saying it discovered an effective method that can address the Memcached vulnerability by sending a command back to an attacking server to suppress its DDoS exploitation. The kill switch sends a “flush all” command to the attacking server that suppresses the flood of traffic by invalidating a vulnerable Memcached server’s cache and “appears to be 100 percent effective” in testing.
The Memcached vulnerability involves attackers exploiting a setup issue with a protocol in some Memcached installations causing services running it to respond with data packets thousands of times bigger than a usual request — up to 51,000 times higher. In effect, the “kill switch” counters that vulnerability by literally telling the same Memcached server to stop the traffic by flushing the cache itself.
Strangely, Corero has not detailed the command, saying only that they had provided the details national security agencies, but this being the internet, it didn’t take long for someone to work out what was involved.
A Memcached developer came up with the details, with Neowin reporting that as the vulnerable Memcached server IP is not spoofed, it is “pretty easy to disable them” by sending the command “shutdown\r\n” or “running ‘flush_all\r\n” in a loop to prevent amplification.
Although the kill switch is welcome, the vulnerability may not be around that much longer, with the issue being assigned a formal Common Vulnerabilities and Exposures number (CVE-2018-1000115) identifying Memcached version 1.5.5 as having an “Insufficient control of Network Message Volume vulnerability in the UDP support of the Memcached server that can result in denial of service via network flood.”
A newly released version of Memchached, 1.5.6, patches the vulnerability, but as with all server-side issues, it requires network administrators to install the latest version to address it.
Image: Memcached
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
