Researchers from Corero Network Security have discovered a practical ‘kill switch’ that will be able to mitigate the Memcached vulnerability, recently used in causing the record breaking DDoS attacks. They have disclosed the existence of this switch to national security agencies.
Corero said that the potential of Memcached vulnerability is more extensive than reported originally, and the attacked servers can be used by hackers to steal or modify the data. This data can be database records, emails, API data, Hadoop information, website customer information, etc.
Memcached, the open source memory caching system decreases data access time by storing it in RAM. Since access does not require authentication, it was originally designed to be inaccessible from the internet. The exploit allows attackers to generate fake requests and magnify the attacks creating traffic flood. Currently more than 95,000 servers answer on UDP port 11211, which means all of them are vulnerable to the DDoS attacks.
“Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue,” explained Ashley Stephenson, CEO at Corero Network Security.
The kill switch discovered by Corero can be an effective solution to mitigate the attacks. The security firm claimed that it tested the kill switch on live attacking servers and found it 100% effective. “It has not been observed to cause any collateral damage.”
The kill switch sends a ‘flush all’ command to the attacking server which suppresses the DDoS exploitation. The command invalidates the malicious payloads by clearing the cache of vulnerable server.
When GitHub was attacked by DDoS attack last week, the issue was reported to the National Vulnerability Database (NVD). NVD found that the Memcached version 1.5.5 contained an insufficient control of network message volume vulnerability in UDP support of memcached server. This issue has been fixed in version 1.5.6.
The memcached servers need to be updated to latest version, to disable the UDP protocol by default.