Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Memcached Amplification DDoS: A 2018 Threat (AP...

Artyom "Töma" Gavrichenkov
February 28, 2018
Technology
0
23

Memcached Amplification DDoS: A 2018 Threat (APRICOT 2018)

In November 2017, researchers have found a new class of amplification DDoS attacks: memcached amplification. At the end of February 2018 those attacks are in the wild, with a bandwidth already close to 0,5 Gbps.

This lightning talk is a short analysis of the threat structure, consequences and possible ways to mitigate the threat.

Artyom "Töma" Gavrichenkov

February 28, 2018
Tweet

More Decks by Artyom "Töma" Gavrichenkov

See All by Artyom "Töma" Gavrichenkov
[EE DNS Forum 2018] DDoS on DNS: past, present and inevitable
ximaera
0
53
Wrong, wrong, WRONG! methods of DDoS mitigation
ximaera
0
340
DDoS Beasts and How to Fight Them (Nginx Conf 2018)
ximaera
0
190
DDoS tutorial (China ISC 360)
ximaera
0
210
[RU] “I, Not Robot". A design of the contemporary CAPTCHA challenges and the future of the Turing test
ximaera
0
110
DDoS 101 (2018, PaymentSecurity RU 2018)
ximaera
0
32
Memcached Amplification: Lessons Learned (NANOG 73)
ximaera
0
170
DDoS Beasts and How to Fight Them
ximaera
0
48
Memcached Amplification DDoS: Lessons Learned (ENOG 15)
ximaera
0
45

Other Decks in Technology

See All in Technology
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
13k
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
880
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
520
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
900
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
330
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Designing for Performance
lara
604
68k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Visualization
eitanlees
145
15k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Building an army of robots
kneath
302
43k

Transcript

  1. Memcached amplification Artyom Gavrichenkov <[email protected]>

  2. 2 300 Mbps 30 Gbps Typical amplification attack A vulnerable

    server • Most servers on the Internet send more data to a client than they receive • UDP-based servers generally do not verify the source IP address • This allows for amplification DDoS

  3. • NTP • DNS • SNMP • SSDP • ICMP

    • NetBIOS 3 • RIPv1 • PORTMAP • CHARGEN • QOTD • Quake • … Vulnerable protocols

  4. Vulnerable servers

  5. Amplification factor 0 200 400 600 NTP CharGEN QotD RIPv1

    Quake LDAP SSDP

  6. memcached •A fast in-memory cache •Heavily used in Web development

  7. memcached •A fast in-memory cache •Heavily used in Web development

    •Listens on all interfaces, port 11211, by default

  8. memcached •Basic ASCII protocol doesn’t do authentication •2014, Blackhat USA:

    “An attacker can inject arbitrary data into memory”

  9. memcached •Basic ASCII protocol doesn’t do authentication •2014, Blackhat USA:

    “An attacker can inject arbitrary data into memory” •2017, Power of Community: “An attacker can send data from memory to a third party via spoofing victim’s IP address”

  10. import memcache m = memcache.Client([ ‘reflector.example.com:11211’ ]) m.set(’a’, value) –

    to inject a value of an arbitrary size under key “a”

  11. print ’\0\x01\0\0\0\x01\0\0gets a\r\n’ – to retrieve a value

  12. print ’\0\x01\0\0\0\x01\0\0gets a a a a a\r\n’ – to retrieve

    a value 5 times

  13. print ’\0\x01\0\0\0\x01\0\0gets a a a a a\r\n’ – to retrieve

    a value 5 times. Or 10 times. Or a hundred.

  14. memcached •Theoretical amplification factor is millions

  15. memcached •Theoretical amplification factor is billions •Fortunately, all the packets

    aren’t sent at once •In practice, the amplification factor is 9000-10000 •Still 20 times the NTP Amplification does. •Current incidents range between 200 and 500 Gbps •Up to 1,5 Tbps can be expected

  16. Mitigation •Again, BCP 38. •Make sure you don’t have open

    memcached port 11211/udp on your network •Use firewalls or FlowSpec to filter 11211/udp

  17. Mitigation •Again, BCP 38. •Make sure you don’t have open

    memcached port 11211/udp on your network •Use firewalls or FlowSpec to filter 11211/udp •More news as events warrant

  18. Q&A mailto: Artyom Gavrichenkov <[email protected]> https://medium.com/@qratorlabs/