A newly discovered “kill switch” may be able to address distributed denial-of-service attacks that use a vulnerability in the Memcached memory caching system to amplify data volume, the same vulnerability used in a number of record DDoS attacks over the last two weeks.

Corero Network Security Inc. made the claim Wednesday, saying it discovered an effective method that can address the Memcached vulnerability by sending a command back to an attacking server to suppress its DDoS exploitation. The kill switch sends a “flush all” command to the attacking server that suppresses the flood of traffic by invalidating a vulnerable Memcached server’s cache and “appears to be 100 percent effective” in testing.

The Memcached vulnerability involves attackers exploiting a setup issue with a protocol in some Memcached installations causing services running it to respond with data packets thousands of times bigger than a usual request — up to 51,000 times higher. In effect, the “kill switch” counters that vulnerability by literally telling the same Memcached server to stop the traffic by flushing the cache itself.

Strangely, Corero has not detailed the command, saying only that they had provided the details national security agencies, but this being the internet, it didn’t take long for someone to work out what was involved.

A Memcached developer came up with the details, with Neowin reporting that as the vulnerable Memcached server IP is not spoofed, it is “pretty easy to disable them” by sending the command “shutdown\r\n” or “running ‘flush_all\r\n” in a loop to prevent amplification.

Although the kill switch is welcome, the vulnerability may not be around that much longer, with the issue being assigned a formal Common Vulnerabilities and Exposures number (CVE-2018-1000115) identifying Memcached version 1.5.5 as having an “Insufficient control of Network Message Volume vulnerability in the UDP support of the Memcached server that can result in denial of service via network flood.”

A newly released version of Memchached, 1.5.6, patches the vulnerability, but as with all server-side issues, it requires network administrators to install the latest version to address it.

Image: Memcached