-Tom Lidikay



A denial-of-service attack, or DOS, (Not to be confused with the operating system of the same name,) is an attack where the criminal seeks not to break in, but to deny service to others by flooding the target with more traffic/bandwidth than they can handle.

A distributed-denial-of-service attack (DDOS) involves flooding the victim from many different sources, as it can be difficult to come up with the necessary bandwidth and processing power from just one. Traditionally, DDOS attacks have been performed using thousands of malware infected machines or devices, such as the one in 2016 targeting DNS service provider Dyn, which took out many worldwide services for a short period. This attack utilized a Botnet known as Mirai.

A new method of performing these attacks has surfaced, using a common service known as Memcached.

This service is installed by default on many versions of the Linux Operating system, and is primarily designed for caching data on one or more servers to reduce load on databases, in roles such as file servers, index servers, and other types of servers handling large volumes of data.

Because Memcached communicates over the network using UDP (User Datagram Protocol) no authentication is performed for its requests. An attacker can send a spoofed request to these servers with the victims address as its return address, causing the server to respond to the wrong place. It requires a very small request to send out a large amount of data, so this opens up a large avenue for sending massive denial of service attacks with very few resources. Because no Botnet or malware infected machines are required to be setup beforehand, these attacks can be launched with very little preparation time or investment.

Memcached, as a protocol should almost never be setup in such a way that it is open to the internet at large, but there are an estimated 50,000 memcached servers that are.

In the wild, it appears attacks are being launched demanding a ransom be paid for the attack to stop.

According to cyber-security firm Cybereason (credit to Krebs on security for the interview)
attackers are demanding payment of 50 XMR (Monero virtual currency) be paid.

Because Memcached can accept and host files in temporary memory to be requested later, the attackers can use the ransom note as the attack. The ransom note is cached over and over again on the afflicted server until it reaches a size of 1 mb, and then the malformed request is sent, with the victims address pasted in as the return address.

The Fix for this is pretty easy

If your organization runs linux systems, it is fairly easy to check for and mitigate the problem.

Here is an article (from 2016 I should add) on how to secure a memcached server.
If memcached is not required by the system to perform its task, it should be disabled and/or uninstalled.

On a broader note, I have been saying for years that organization firewalls need to be audited, regularly. Ports that are not explicitly required, should be closed by default.

Ensuring the firewall has been properly setup is probably the easiest portion of network engineering.

There are many, many other vectors of attack that could be exploited, but if your firewall is open, you have no one to blame but yourself.