Corero discovers Memcached DDoS kill switch

In the past few weeks, code repository GitHub was taken offline by the world’s largest DDoS attack to date, peaking at 1.35Tbps. That was just the beginning.

Almost immediately afterwards, attackers used their new favourite technique to set a new world record. A leading US service provider was hit with an attack that peaked at 1.7Tbps – more than any organisation could realistically cope with.

The technique was exploiting servers running a utility called Memcached. Amplifying traffic through Memcached servers became an overnight favourite – a method that was repeatable, scalable, and would change the landscape of DDoS attacks forever.

That is until DDoS specialists Corero got involved – and found a simple-yet-powerful ‘kill switch’ that could end an attack in an instant.

How DDoS attackers are using Memcached servers

Despite techniques becoming more sophisticated in the past few years, DDoS attacks still rely on quantity over quality. The sheer scale of traffic you can direct at a server remains of critical importance – attackers need to trick multiple servers into attacking a target.

Memcached, an open source memory caching utility, was never meant to be used on servers connected to the internet. It lacks even the most basic authentication and, as a result, attackers can force servers running Memcached to take part in DDoS attacks.
That’s bad. But it gets worse.

Like the rest of us, attackers are working with limited resources. They want the biggest return on their investment – the most traffic hitting a target with the minimum traffic sent from their own computers. With a little configuration, Memcached makes that easy.

According to Cloudflare, a single Memcached server could receive a request that’s just 15 bytes and, in response, output 750KB of activity. That’s a 51,200x amplification before you even consider the number of requests the Memcached server can handle and then the number of servers being used at the same time.

It’s easy to see how the numbers get very, very big. And why putting a stop to attackers using Memcached became a priority for the team at Corero.

The first vendor to find an answer to Memcached

With the Corero SmartWall Network Threat Defense System, Corero customers have been benefitting from real-time Memcached attack protection since the very first attacks. In less than two seconds, Smartwall can detect and deflect malicious traffic.

However, as leaders in the DDoS space, the Corero team knew they had to do more to help with this serious new development.
After just a few days of detailed investigation, they disclosed the discovery of a way to suppress attacking servers with just one simple command that invalidates the cache and any malicious payload inside it.

As the world’s security specialists continue to discourage the use of Memcached on internet-connected servers, Corero’s discovery has offered a fast, effective way to kill attacks the moment they’re detected.

Corero also revealed that, as well as DDoS attack amplification, Memcached can be used to gain access to data. This troubling new development means a method exists for attackers to retrieve or modify data remotely – the details of which have now been disclosed to unnamed national security agencies.

Pioneering protection against DDoS attacks

Corero’s Memcached kill switch is a significant discovery in the fight against a technique that’s just a few weeks old. But it reflects Corero’s long-term commitment to improving the way businesses defend themselves against DDoS attacks.

With its range of SmartWall appliances, Corero took network security to the next level, offering the fastest performance in the most compact, affordable units. With its ongoing research and regular DDoS trends reports, the company has helped to improve awareness and understanding of the latest threats worldwide.

And now, with the Memcached kill switch, Corero is offering an effective, immediate solution that organisations worldwide can take advantage of.

Written by