KNOWNHOST WIKI

User Tools

Site Tools


developmental:memcrashed-what-is-it-memcache

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
developmental:memcrashed-what-is-it-memcache [2020/05/13 13:25]
Karson N. [Installing and Securing Memcached for EasyApache 4 CentOS 7/CPanel Servers: Everything You Need to Know]
developmental:memcrashed-what-is-it-memcache [2020/05/26 14:02] (current)
Karson N.
Line 9: Line 9:
 ===== Memcrashed ===== ===== Memcrashed =====
  
-A critical vulnerability in Memcached was discovered in February of  2018 that allows attackers to launch and execute powerful DDoS amplification attacks. (( https://​nvd.nist.gov/​vuln/​detail/​CVE-2018-1000115 )) This vulnerability has been described as a "new chapter in DDoS attack executions” by Ashley Stephenson, CEO of Corero Network Security. Corero Network Security is the security company that found a '​kill-switch'​ for these attacks. Here is her complete statement:+A critical vulnerability in Memcached was discovered in February of  2018 that allows attackers to launch and execute powerful DDoS amplification attacks. ((https://​nvd.nist.gov/​vuln/​detail/​CVE-2018-1000115))[[https://​nvd.nist.gov/​vuln/​detail/​CVE-2018-1000115|Learn more about other vulnerabilities]] ​This vulnerability has been described as a "new chapter in DDoS attack executions” by Ashley Stephenson, CEO of Corero Network Security. Corero Network Security is the security company that found a '​kill-switch'​ for these attacks. Here is her complete statement:
  
  ​“Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.” <​sub>​%% https://​www.corero.com/​company/​newsroom/​press-releases/​corero-network-security-discovers-memcached-ddos-attack-kill-switch-and-also-reveals-memcached-exploit-can-be-used-to-steal-or-corrupt-data/​ %%</​sub>​  ​“Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.” <​sub>​%% https://​www.corero.com/​company/​newsroom/​press-releases/​corero-network-security-discovers-memcached-ddos-attack-kill-switch-and-also-reveals-memcached-exploit-can-be-used-to-steal-or-corrupt-data/​ %%</​sub>​
  
  
-This vulnerability was dubbed "​Memcrashed"​ by Cloudflare and is responsible for a 1.35 Tbps DDoS that hit Github ​ February 28, 2018, (( https://​githubengineering.com/​ddos-incident-report/​ ))+This vulnerability was dubbed "​Memcrashed"​ by Cloudflare and is responsible for a 1.35 Tbps DDoS that hit Github ​ February 28, 2018,  
 +((https://​githubengineering.com/​ddos-incident-report/​)) 
 +[[https://​githubengineering.com/​ddos-incident-report/​|February 28th DDoS Incident Report]]
  
 +A few different PoC exploit codes have been released, one of which utilizes the Shodan search engine API to obtain a fresh list of vulnerable Memcached servers each time. The Shodan engines show 29,411 servers still unpatched as of June 16th, 2018.  ​
  
-A few different PoC exploit codes have been released, one of which utilizes the Shodan search engine API to obtain a fresh list of vulnerable Memcached servers each time. The Shodan engines show 29,411 servers still unpatched as of June 16th, 2018.  ​(( https://​thehackernews.com/​2018/​03/​memcached-ddos-exploit-code.html ))  (( https://​www.shodan.io/​search?​query=11211 ))  (( https://​github.com/​649/​Memcrashed-DDoS-Exploit ))+(( https://​thehackernews.com/​2018/​03/​memcached-ddos-exploit-code.html )) 
 +[[https://​thehackernews.com/​2018/​03/​memcached-ddos-exploit-code.html|Memcached DDoS Exploit Code and List of 17,000 Vulnerable Servers Released]] 
 + 
 +(( https://​www.shodan.io/​search?​query=11211 )) 
 +[[https://​www.shodan.io/​search?​query=11211|Shodan Search]] 
 + 
 +(( https://​github.com/​649/​Memcrashed-DDoS-Exploit )) 
 +[[https://​github.com/​649/​Memcrashed-DDoS-Exploit|MEMCRASHED DDOS EXPLOIT TOOL(GitHub)]]
  
 We've done a great job taking care of this threat overall as a community, but there is still work to be done. Many reports were previously reporting approximately 95,000 to 100,000 vulnerable servers. ​ We must remain proactive in identifying these servers and securing them!  We've done a great job taking care of this threat overall as a community, but there is still work to be done. Many reports were previously reporting approximately 95,000 to 100,000 vulnerable servers. ​ We must remain proactive in identifying these servers and securing them! 
Line 26: Line 36:
 Why is this type of attack such a big deal? Because of the immense bandwidth amplification factor, or BAF, which is the potential effect of an amplification attack. A BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request. Why is this type of attack such a big deal? Because of the immense bandwidth amplification factor, or BAF, which is the potential effect of an amplification attack. A BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request.
  
-"15 bytes of request triggered 134KB of response. This is an amplification factor of 10,000x! In practice we've seen a 15-byte request result in a 750kB response (that'​s a 51,200x amplification),"​ Cloudflare says. (( https://​blog.cloudflare.com/​memcrashed-major-amplification-attacks-from-port-11211/​ ))+"15 bytes of request triggered 134KB of response. This is an amplification factor of 10,000x! In practice we've seen a 15-byte request result in a 750kB response (that'​s a 51,200x amplification),"​ Cloudflare says.  
 +(( https://​blog.cloudflare.com/​memcrashed-major-amplification-attacks-from-port-11211/​ )) 
 +[[https://​blog.cloudflare.com/​memcrashed-major-amplification-attacks-from-port-11211/​|Memcrashed - Major amplification attacks from UDP port 11211]]
  
 Some other popularly known DDoS amplification attack vectors include poorly secured DNS resolution servers and network time protocol, or NTP. Looking at these and a few others below, you will see each listed with its corresponding BAF: Some other popularly known DDoS amplification attack vectors include poorly secured DNS resolution servers and network time protocol, or NTP. Looking at these and a few others below, you will see each listed with its corresponding BAF:
Line 38: Line 50:
 |  Memcached ​ |  51,​000 ​ | |  Memcached ​ |  51,​000 ​ |
  
-These numbers make it incredibly easy to understand why Memcrashed is worrisome and potentially devastating for those that have not secured against it. ((https://​christian-rossow.de/​articles/​Amplification_DDoS.php )) (( https://​www.us-cert.gov/​ncas/​alerts/​TA14-017A ))+These numbers make it incredibly easy to understand why Memcrashed is worrisome and potentially devastating for those that have not secured against it.  
 + 
 +((https://​christian-rossow.de/​articles/​Amplification_DDoS.php)) 
 +[[https://​christian-rossow.de/​articles/​Amplification_DDoS.php|Article]] 
 + 
 +((https://​www.us-cert.gov/​ncas/​alerts/​TA14-017A)) 
 +[[https://​www.us-cert.gov/​ncas/​alerts/​TA14-017A|Government Alert (TA14-017A)]]
  
 \\ \\
Line 44: Line 62:
 ===== Memcrashed "​Kill-Switch"​ and Data Theft and/or Corruption ===== ===== Memcrashed "​Kill-Switch"​ and Data Theft and/or Corruption =====
  
-While Corero Network Security, a DDoS & Network Security Solutions provider, was investigating this issue, they discovered a '​kill-switch'​ that they claim has been tested on live attack servers and has been 100% effective. ​ The memcached "​flush_all"​ command will invalidate the cache. If memcached is reloaded before the vulnerability patch is applied, then the "​kill-switch'​ will be necessary again. The command should be sent to the originating attack servers, ​ with a single '​flush_all'​ command issued to each attacker. (( https://​www.corero.com/​resources/​ddos-attack-types/​memcached-attack.html +While Corero Network Security, a DDoS & Network Security Solutions provider, was investigating this issue, they discovered a '​kill-switch'​ that they claim has been tested on live attack servers and has been 100% effective. ​ The memcached "​flush_all"​ command will invalidate the cache. If memcached is reloaded before the vulnerability patch is applied, then the "​kill-switch'​ will be necessary again. The command should be sent to the originating attack servers, ​ with a single '​flush_all'​ command issued to each attacker. 
- ))+ 
 +((https://​www.corero.com/​resources/​ddos-attack-types/​memcached-attack.html)) 
 +[[https://​www.corero.com/​resources/​ddos-attack-types/​memcached-attack.html|What is a Memcached Attack?]]
  
 Unfortunately,​ while discovering the '​kill-switch',​ the team at Corero also found that this vulnerability is even worse than previously thought. This is mainly due to the way UDP and memcached functions. ​ Unfortunately,​ while discovering the '​kill-switch',​ the team at Corero also found that this vulnerability is even worse than previously thought. This is mainly due to the way UDP and memcached functions. ​
Line 72: Line 92:
 ===== What Can I Do?  ===== ===== What Can I Do?  =====
  
-Memcached developers have patched this (( https://​github.com/​memcached/​memcached/​wiki/​ReleaseNotes156 +Memcached developers have patched this ((https://​github.com/​memcached/​memcached/​wiki/​ReleaseNotes156)) ​[[https://​github.com/​memcached/​memcached/​wiki/​ReleaseNotes156|memcached patch notes]], but if you are running a version of Memcached older than version 1.5.6, you //must// either update or apply the required configuration changes yourself.
- )), but if you are running a version of Memcached older than version 1.5.6, you //must// either update or apply the required configuration changes yourself.+
  
 If you are concerned about your Memcached installation,​ please don't hesitate to open a ticket with Knownhost support so we can check the version and patch/​upgrade if necessary. ​ If you are concerned about your Memcached installation,​ please don't hesitate to open a ticket with Knownhost support so we can check the version and patch/​upgrade if necessary. ​
Line 130: Line 149:
 {{:​developmental:​current-running-process-shows-as-secured.png?​nolink&​1200|}} {{:​developmental:​current-running-process-shows-as-secured.png?​nolink&​1200|}}
  
-TCP is not currently considered a high-risk Memcached amplification vector because TCP queries are far less vulnerable to spoofing than UDP queries due the fact that you would also need to spoof TCP header fields relating to the state of the connection. Sending a spoofed TCP packet requires the attacker to guess the sequence number, which cannot be done reliably. (( http://​seclists.org/​basics/​2007/​Jul/​59 ))+TCP is not currently considered a high-risk Memcached amplification vector because TCP queries are far less vulnerable to spoofing than UDP queries due the fact that you would also need to spoof TCP header fields relating to the state of the connection. Sending a spoofed TCP packet requires the attacker to guess the sequence number, which cannot be done reliably. ​ 
 + 
 +(( http://​seclists.org/​basics/​2007/​Jul/​59 )) 
 +[[http://​seclists.org/​basics/​2007/​Jul/​59|Why TCP is more secure than UDP?]]
  
 \\ \\
Line 208: Line 230:
 ===== cPanel and Memcached ===== ===== cPanel and Memcached =====
  
-Note that cPanel has memcached and memcache RPMs in their experimental EasyApache 4 repos at this time.  (( https://​features.cpanel.net/​topic/​memcached-in-easyapache4 )) These are not yet secured via SASL authentication,​ but the statement in their Feature Request seems to indicate that they plan to use SASL to secure Memcached. You may want to watch for these to be moved into the stable repo so that you can replace your Memcached installation with a cPanel-supported installation when that time comes. Until then, make sure to either use a later version of Memcached, or to open a ticket with Knownhost so that we can secure it for you. +Note that cPanel has memcached and memcache RPMs in their experimental EasyApache 4 repos at this time.  ((https://​features.cpanel.net/​topic/​memcached-in-easyapache4))[[https://​features.cpanel.net/​topic/​memcached-in-easyapache4|cPanel preview]]. ​These are not yet secured via SASL authentication,​ but the statement in their Feature Request seems to indicate that they plan to use SASL to secure Memcached. You may want to watch for these to be moved into the stable repo so that you can replace your Memcached installation with a cPanel-supported installation when that time comes. Until then, make sure to either use a later version of Memcached, or to open a ticket with Knownhost so that we can secure it for you. 
  
developmental/memcrashed-what-is-it-memcache.1589394328.txt.gz · Last modified: 2020/05/13 13:25 by Karson N.