Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Multi-Terabit DDoS Era - Memcached

Published byΓαλήνη Παπαγεωργίου Modified over 6 years ago

Similar presentations

Presentation on theme: "The Multi-Terabit DDoS Era - Memcached"— Presentation transcript:

1 The Multi-Terabit DDoS Era - Memcached
Sean Newman Director Product Management

2 DDoS Still on the increase…
500 Gbps Hong Kong attack France swarmed after terror attack PlayStation & Xbox hit at Christmas Mirai Botnet OVH / Krebs / DYN 600 Gbps -> 1Tbps Memcached GitHub Tbps Anon hits Church of Scientology Spamhaus attack: Reported to reach 310 Gbps Rio Olympics 540 Gbps Spammers discover botnets Reaper Botnet 2M Devices First Hacktivists: Zapatista National Liberation Army ProtonMail attack Estonia: Parliament, banks, media, Estonia Reform Party Coordinated US bank attacks: Grew to 200 Gbps, and continue today DoS for Notoriety 1993 2005 2007 2009 2011 2013 2015 2016 2017 2018

3 Increasingly Sophisticated IoT Exploits
Mirai – Basic password brute-force Pre-populated default user/password pairs Reaper – Authentication bypass vulnerability Empty user and password parameters in URI Satori/BrickerBot – Huawei Router Vuln (CVE-2017–17215) Zero-day vulnerability posted openly on Pastebin Injection of commands within a “firmware update” Result: Undetected malicious code installed on the device IoTroop, etc… – Ongoing IoT Challenge Low performance devices running lightweight code Cheap devices, with focus on function, not secure code

4 New Attack Vector – Memcached
General Purpose distributed memory caching system Often used to speed up database-driven websites Default …/etc/sysconfig/ enables service for all to use Service on TCP, and crucially UDP, port 11211 Designed for speed, so access does not require authentication Standard component of common Linux distributions Centos, Ubuntu, etc… Including most instances hosted in public clouds UDP Memcached on the Internet enables reflection attacks This reflection vulnerability has been around for >10 years

5 WhiteHat PoC Raised Awareness
2Tb/s Exploit demonstrated at Power of Community 2017 Appealing to attackers for scale of amplification possible… Within a quarter, we started to see the first DDoS attacks

6 GitHub Attacked using Memcached
Wednesday 28th February, 2018 – 1.35Tb/s GitHub attack! Offline for 10 minutes, whilst Akamai figures out mitigation Within hours Corero customers were being targeted Four days later, Arbor Networks claimed new largest attack 1.7Tbps attack against unnamed Arbor customer

7 Memcached Attack – Explained
Open memcached port enables simple telnet access stats items command enables simple lookup of memcached ‘slab’ usage Typically 42 ‘slabs’ available, #42 is 10GB in 1MB entries Each entry can be filled with data, by any user, and given associated ‘key’ In this case, fetching, with a get, reveals interesting payload Entry is filled to within a few bytes of 1MB maximum

8 Weaponising Memcached - Searching
1. Attacker Scans Internet on UDP 11211 2. Builds list of responding IPs IP IP …. IP n.n.n.n @ ~100Mb/s each ~10k needed for 1Tb/s UDP (stats) UDP (stats) UDP (stats) (reply) (reply) (reply) Vulnerable memcached Servers

9 Weaponising Memcached - Staging
3. Attacker Pre-loads cache payload and associated key ~ 1MB to key (a) Loading thousands of servers is non-trivial exercise Likely takes 10s of minutes UDP (set a) UDP (set a) UDP (set a) 1MB data (a) 1MB data (a) 1MB data (a) Vulnerable memcached Servers

10 Weaponising Memcached - Activating
4. Attacker Sends “get a…” to each server on the list small message with source spoofed to be that of victim From 100Mbit link attacker can enable 10k servers in a single second UDP (get a a a …) UDP (get a a a …) UDP (get a a a…) 1MB data (a) 1MB data (a) 1MB data (a) Vulnerable memcached Servers 1MB data (a) from n servers at ~100Mbit/s

11 Weaponising Memcached - Activating
4. Attacker Sends “get a…” to each server on the list small message with source spoofed to be that of victim From 100Mbit link attacker can enable 10k servers in a single second UDP (get a a a …) UDP (get a a a …) UDP (get a a a…) 1MB data (a) 1MB data (a) 1MB data (a) Vulnerable memcached Servers 1MB data (a) from n servers at ~100Mbit/s 10,000x amplification = Terabits per second

12 Neutralising Memcached
RELOAD memcached (attack payloads) ~ 1MB to key (a) UDP (set a) UDP (set a) UDP (set a) 1MB data (a) 1MB data (a) 1MB data (a) vulnerable memcached servers COUNTERMEASURE Respond with UDP (flush_all) to each attacking server UDP (flush_all) COUNTERMEASURE is 10,000 times more efficient than attacker’s reload – reverse of amplification

13 Neutralising Memcached
Memcached’s flush_all command instantly clears all cache entries Provides ability to rapidly diminish sustained attacks No data is destroyed, but, need to be aware of any legal implications Countermeasure can begin immediately with no collateral damage Packet rate is minimal (reverse of amplification) Automated countermeasure generation is trivial… netcat python -c "print '\0\x01\0\0\0\x01\0\0flush_all\r\n'" | nc -nvvu xxx.xxx.xxx.xxx > /tmp/null /dev/udp echo -ne '\0\x01\0\0\0\x01\0\0flush_all\r\n' > /dev/udp/xxx.xxx.xxx.xxx/11211 Where xxx.xxx.xxx.xxx is the source IP of an attacking memcached Once amplification is destroyed memcache is useless for DDoS

14 Public Memcached Servers in Decline
April 2018 Oct 2017 Number of vulnerable servers is diminishing due to publicity of exploit

15 Memcached Vulnerability Fixed?
Memcached authors release latest version with UDP disabled by default

16 Summary DDoS as a whole still on the Increase
Attack Methods/Vectors more Sophisticated No surprise that new vectors such as memcached emerge Traditional Protection is not effective enough Typically too slow to react to avoid damage Service and Hosting Provider Reputation is at Risk Many organisation still believe their provider protects them Deploying Modern DDoS Protection is an Opportunity Removes all DDoS Traffic from your infrastructure Differentiates you from your competitors Can enable incremental revenue stream by selling on as a service

17 Questions?

18 Thank You!

Download ppt "The Multi-Terabit DDoS Era - Memcached"

Similar presentations

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
--Harish Reddy Vemula Distributed Denial of Service.

--Harish Reddy Vemula Distributed Denial of Service.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Similar presentations

Ads by Google