Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Memcached Amplification DDoS: A 2018 Threat (APRICOT 2018)

Artyom "Töma" Gavrichenkov
February 28, 2018
Technology
0
18

Memcached Amplification DDoS: A 2018 Threat (APRICOT 2018)

In November 2017, researchers have found a new class of amplification DDoS attacks: memcached amplification. At the end of February 2018 those attacks are in the wild, with a bandwidth already close to 0,5 Gbps.

This lightning talk is a short analysis of the threat structure, consequences and possible ways to mitigate the threat.

Artyom "Töma" Gavrichenkov

February 28, 2018
Tweet

More Decks by Artyom "Töma" Gavrichenkov

See All by Artyom "Töma" Gavrichenkov
[EE DNS Forum 2018] DDoS on DNS: past, present and inevitable
ximaera
0
49
Wrong, wrong, WRONG! methods of DDoS mitigation
ximaera
0
330
DDoS Beasts and How to Fight Them (Nginx Conf 2018)
ximaera
0
150
DDoS tutorial (China ISC 360)
ximaera
0
200
[RU] “I, Not Robot". A design of the contemporary CAPTCHA challenges and the future of the Turing test
ximaera
0
100
DDoS 101 (2018, PaymentSecurity RU 2018)
ximaera
0
26
Memcached Amplification: Lessons Learned (NANOG 73)
ximaera
0
140
DDoS Beasts and How to Fight Them
ximaera
0
39
Memcached Amplification DDoS: Lessons Learned (ENOG 15)
ximaera
0
35

Other Decks in Technology

See All in Technology
今改めて見直してみるラズパイの真価
hamadakoji
1
260
Jagu'e'r Tech Writers Meetup #1
yamahiro
0
160
Sansan LabsにおけるGPT活用事例 / GPT Application Case Studies at Sansan Labs
sansan_randd
2
800
よりよいペアローテーションを求めて
nakasho
0
340
SREを以てセキュリティエンジニアリングを制す / SRE, Security Engineering, and You
lmt_swallow
4
850
Swift Package Mangerのバグを直した話
k_koheyi
2
160
ゲームタイトル開発側と サーバー基盤の連携事例の紹介
colopl
0
150
Runbookに何を書き、どのようにアラートを振り分けるか?
egmc
0
720
EQを高めて不快な感情に立ち向かえ
yamasatimi
1
370
ログから学ぶgo build
nasa_desu
3
430
ChatGPTの10ヶ月と開発トレンドの現在地
hirosatogamo
16
9.2k
Amazon FSx for NetApp ONTAPを 利用するときに気をつけることn選 〜移行プロセスを添えて〜 #devio2023
non97
0
180

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
48
5.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
16k
Statistics for Hackers
jakevdp
787
210k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
GraphQLとの向き合い方2022年版
quramy
25
11k
Infographics Made Easy
chrislema
236
17k
How to name files
jennybc
56
85k
Stop Working from a Prison Cell
hatefulcrawdad
265
18k
Rails Girls Zürich Keynote
gr2m
90
12k
Building a Scalable Design System with Sketch
lauravandoore
453
31k
Designing the Hi-DPI Web
ddemaree
274
33k

Transcript

  1. Memcached amplification
    Artyom Gavrichenkov

    View Slide

  2. 2
    300 Mbps
    30 Gbps
    Typical amplification attack
    A vulnerable server
    • Most servers on the
    Internet send more
    data to a client than
    they receive
    • UDP-based servers
    generally do not
    verify the source IP
    address
    • This allows for
    amplification DDoS

    View Slide

  3. • NTP
    • DNS
    • SNMP
    • SSDP
    • ICMP
    • NetBIOS
    3
    • RIPv1
    • PORTMAP
    • CHARGEN
    • QOTD
    • Quake
    • …
    Vulnerable protocols

    View Slide

  4. Vulnerable servers

    View Slide

  5. Amplification factor
    0
    200
    400
    600
    NTP
    CharGEN
    QotD
    RIPv1
    Quake
    LDAP
    SSDP

    View Slide

  6. memcached
    •A fast in-memory cache
    •Heavily used in Web development

    View Slide

  7. memcached
    •A fast in-memory cache
    •Heavily used in Web development
    •Listens on all interfaces, port 11211, by default

    View Slide

  8. memcached
    •Basic ASCII protocol doesn’t do authentication
    •2014, Blackhat USA:
    “An attacker can inject arbitrary data into memory”

    View Slide

  9. memcached
    •Basic ASCII protocol doesn’t do authentication
    •2014, Blackhat USA:
    “An attacker can inject arbitrary data into memory”
    •2017, Power of Community:
    “An attacker can send data from memory
    to a third party via spoofing victim’s IP address”

    View Slide

  10. import memcache
    m = memcache.Client([
    ‘reflector.example.com:11211’
    ])
    m.set(’a’, value)
    – to inject a value of an
    arbitrary size under key “a”

    View Slide

  11. print ’\0\x01\0\0\0\x01\0\0gets a\r\n’
    – to retrieve a value

    View Slide

  12. print ’\0\x01\0\0\0\x01\0\0gets a a a a a\r\n’
    – to retrieve a value 5 times

    View Slide

  13. print ’\0\x01\0\0\0\x01\0\0gets a a a a a\r\n’
    – to retrieve a value 5 times.
    Or 10 times.
    Or a hundred.

    View Slide

  14. memcached
    •Theoretical amplification factor is millions

    View Slide

  15. memcached
    •Theoretical amplification factor is billions
    •Fortunately, all the packets aren’t sent at once
    •In practice, the amplification factor is 9000-10000
    •Still 20 times the NTP Amplification does.
    •Current incidents range between 200 and 500 Gbps
    •Up to 1,5 Tbps can be expected

    View Slide

  16. Mitigation
    •Again, BCP 38.
    •Make sure you don’t have
    open memcached port 11211/udp on your network
    •Use firewalls or FlowSpec to filter 11211/udp

    View Slide

  17. Mitigation
    •Again, BCP 38.
    •Make sure you don’t have
    open memcached port 11211/udp on your network
    •Use firewalls or FlowSpec to filter 11211/udp
    •More news as events warrant

    View Slide

  18. Q&A
    mailto: Artyom Gavrichenkov
    https://medium.com/@qratorlabs/

    View Slide