Researchers at DDoS protection firm Corero Network Security have released a post stating that the memcached amplification attacks that hit GitHub and other networks over the last week with the largest ever DDoS attacks can be disarmed with a practical “kill switch”.
Corero says its kill switch issues a “flush all” command to the attacking server, which overpowers the flood of traffic by nullifying a vulnerable memcached server’s cache, including the large, possibly malicious payload planted there by attackers. Corero says they have tested the countermeasure quench packet and it “appears to be 100% effective”, and does not appear to lead to any collateral damage. The security firm has disclosed the countermeasure to national security agencies for immediate action.
According to various sources, there are up to 100,000 exposed memcached servers despite repeated warnings by the memcached developer community and large IT vendors about security risks. Memcached servers were not designed to be exposed to the Internet as authentication is not required in their use. Default configurations for some of the largest operating systems and cloud computing services actually enable permanent access to memcaching and customers’ private data.
An urgent fix is necessary. The attacks began in late February, and security firms warn that they are likely to continue and grow in size while the vulnerable memcached servers remain exposed to the public Internet.
Corero researchers found that any exposed Memcached server that can be leveraged for a DDoS attack can also be fooled into sharing user data it has cached from a local network or host. Anything added to a vulnerable server can be stolen because of the lack of checks. Attackers can also alter data and reinsert it in the cache without knowledge of the owner.
Ashley Stephenson, CEO at Corero, says: “While this blatant lapse of security is relatively clear to the accomplished security practitioner or hacker, it is not known to the increasingly business-oriented, non-technical user who is clickin
g a button to set up a new server in the cloud. There are dozens of US-CERT CVE and obscure security warnings related to Memcached but few of them address the clearly obvious issue of leaving the front door open on the internet for anyone to come in and take your data.”