Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Memcached Amplification DDoS: A 2018 Threat (APRICOT 2018)

Artyom "Töma" Gavrichenkov
February 28, 2018
Technology
0
19

Memcached Amplification DDoS: A 2018 Threat (APRICOT 2018)

In November 2017, researchers have found a new class of amplification DDoS attacks: memcached amplification. At the end of February 2018 those attacks are in the wild, with a bandwidth already close to 0,5 Gbps.

This lightning talk is a short analysis of the threat structure, consequences and possible ways to mitigate the threat.

Artyom "Töma" Gavrichenkov

February 28, 2018
Tweet

More Decks by Artyom "Töma" Gavrichenkov

See All by Artyom "Töma" Gavrichenkov
[EE DNS Forum 2018] DDoS on DNS: past, present and inevitable
ximaera
0
52
Wrong, wrong, WRONG! methods of DDoS mitigation
ximaera
0
330
DDoS Beasts and How to Fight Them (Nginx Conf 2018)
ximaera
0
180
DDoS tutorial (China ISC 360)
ximaera
0
210
[RU] “I, Not Robot". A design of the contemporary CAPTCHA challenges and the future of the Turing test
ximaera
0
110
DDoS 101 (2018, PaymentSecurity RU 2018)
ximaera
0
29
Memcached Amplification: Lessons Learned (NANOG 73)
ximaera
0
160
DDoS Beasts and How to Fight Them
ximaera
0
43
Memcached Amplification DDoS: Lessons Learned (ENOG 15)
ximaera
0
40

Other Decks in Technology

See All in Technology
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
450
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
770
NgRx Signal Store
rainerhahnekamp
0
150
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
380
アクセス制御にまつわる改善 / Improving access control
itkq
0
520
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
27
5.9k
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
2
11k
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
2
2k
生産性向上チームの紹介
cybozuinsideout
PRO
1
870
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
240
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
160

Featured

See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
Automating Front-end Workflow
addyosmani
1356
200k
Writing Fast Ruby
sferik
621
60k
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
Designing with Data
zakiwarfel
96
4.8k
The Language of Interfaces
destraynor
151
23k
Statistics for Hackers
jakevdp
789
220k
RailsConf 2023
tenderlove
4
540
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
Building an army of robots
kneath
300
41k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M

Transcript

  1. Memcached amplification Artyom Gavrichenkov <[email protected]>

  2. 2 300 Mbps 30 Gbps Typical amplification attack A vulnerable

    server • Most servers on the Internet send more data to a client than they receive • UDP-based servers generally do not verify the source IP address • This allows for amplification DDoS

  3. • NTP • DNS • SNMP • SSDP • ICMP

    • NetBIOS 3 • RIPv1 • PORTMAP • CHARGEN • QOTD • Quake • … Vulnerable protocols

  4. Vulnerable servers

  5. Amplification factor 0 200 400 600 NTP CharGEN QotD RIPv1

    Quake LDAP SSDP

  6. memcached •A fast in-memory cache •Heavily used in Web development

  7. memcached •A fast in-memory cache •Heavily used in Web development

    •Listens on all interfaces, port 11211, by default

  8. memcached •Basic ASCII protocol doesn’t do authentication •2014, Blackhat USA:

    “An attacker can inject arbitrary data into memory”

  9. memcached •Basic ASCII protocol doesn’t do authentication •2014, Blackhat USA:

    “An attacker can inject arbitrary data into memory” •2017, Power of Community: “An attacker can send data from memory to a third party via spoofing victim’s IP address”

  10. import memcache m = memcache.Client([ ‘reflector.example.com:11211’ ]) m.set(’a’, value) –

    to inject a value of an arbitrary size under key “a”

  11. print ’\0\x01\0\0\0\x01\0\0gets a\r\n’ – to retrieve a value

  12. print ’\0\x01\0\0\0\x01\0\0gets a a a a a\r\n’ – to retrieve

    a value 5 times

  13. print ’\0\x01\0\0\0\x01\0\0gets a a a a a\r\n’ – to retrieve

    a value 5 times. Or 10 times. Or a hundred.

  14. memcached •Theoretical amplification factor is millions

  15. memcached •Theoretical amplification factor is billions •Fortunately, all the packets

    aren’t sent at once •In practice, the amplification factor is 9000-10000 •Still 20 times the NTP Amplification does. •Current incidents range between 200 and 500 Gbps •Up to 1,5 Tbps can be expected

  16. Mitigation •Again, BCP 38. •Make sure you don’t have open

    memcached port 11211/udp on your network •Use firewalls or FlowSpec to filter 11211/udp

  17. Mitigation •Again, BCP 38. •Make sure you don’t have open

    memcached port 11211/udp on your network •Use firewalls or FlowSpec to filter 11211/udp •More news as events warrant

  18. Q&A mailto: Artyom Gavrichenkov <[email protected]> https://medium.com/@qratorlabs/