2018 is the year which breaks all records, first Spectre & Meltdown then the biggest DDOS attack in history. Memcached DDoS attacks will become a thing especially because some people made it even more easier to launch such an attack with a few scripts.
[caption id=”attachment_3921” align=”aligncenter” width=”695”] Picture Source: GBhackers.com[/caption]
Reflection or amplification attacks are not new which means attackers have previously used reflection & amplification DDoS attack techniques to exploit flaws in DNS, NTP, SNMP, SSDP, CLDAP, Chargen and other protocols in an attempt to maximize the scale of their cyber attacks. 2016 was one year with more more memchaded DDoS attacks but it was only the beginning.
Two Proof of concepts for the Memcache DDOS attacks has been published online. The first one written in C language and the scripts utilize a list of 17,000 vulnerable Memcached servers to launch a DDoS attack. The second one built in python and it inherits Shodan,io API to find the list of vulnerable Memcached servers.
[caption id=”attachment_3923” align=”aligncenter” width=”1095”] The tool written in Python. The PoC published online made the attack even worst, it allows even every script kiddie to launch a high volume Memcached DDoS Attack on weak servers. Keep in mind that this is illegal.[/caption]
Mohammadi alias 037 created a little utility called “Memfixed” to automate the mitigation process of a Memcached DDoS because according to him vendors are not updating or to the least minimum disabling UDP, companies are being hit with amplified DDoS attacks.
However, this tool is as illegal as DDoS attacks because even if it can shutdown the servers which are been affected to protect them from a larger damage you still have no right to use it because you simply have no server owner rights to do such things. But it’s more designed to identify the problematically servers.
You can block the memcached port in your firewall and allow access only from the database server which is already be enough. Memcached’s default port is widely considered to be 11211 (TCP). The easiest example is via iptables assuming that 126.96.36.199 would be our server (which is not) so you have to edit this example accordingly.
iptables -A INPUT -s !188.8.131.52/0 -p tcp --destination-port 11211 -j DROP
You can archive similar prevention with every other NAT based firewall too.
Unfortunately it looks like a problem that won’t go away as there are so many server exposed or simply poorly configured which is a real problem and needs to be fixed ASAP. But why was GitHub targeted? perhaps because it’s just so resilient it’s a good test target to see how effective you are which would be my explanation. But you can be sure more is coming and these guys aren’t going to sleep for the rest of the year.