INFRA
INFRA
INFRA
Memcached vulnerability ‘kill switch’ may put an end to record attacks
A newly discovered “kill switch” may be able to address distributed denial-of-service attacks that use a vulnerability in the Memcached memory caching system to amplify data volume, the same vulnerability used in a number of record DDoS attacks over the last two weeks.
Corero Network Security Inc. made the claim Wednesday, saying it discovered an effective method that can address the Memcached vulnerability by sending a command back to an attacking server to suppress its DDoS exploitation. The kill switch sends a “flush all” command to the attacking server that suppresses the flood of traffic by invalidating a vulnerable Memcached server’s cache and “appears to be 100 percent effective” in testing.
The Memcached vulnerability involves attackers exploiting a setup issue with a protocol in some Memcached installations causing services running it to respond with data packets thousands of times bigger than a usual request — up to 51,000 times higher. In effect, the “kill switch” counters that vulnerability by literally telling the same Memcached server to stop the traffic by flushing the cache itself.
Strangely, Corero has not detailed the command, saying only that they had provided the details national security agencies, but this being the internet, it didn’t take long for someone to work out what was involved.
A Memcached developer came up with the details, with Neowin reporting that as the vulnerable Memcached server IP is not spoofed, it is “pretty easy to disable them” by sending the command “shutdown\r\n” or “running ‘flush_all\r\n” in a loop to prevent amplification.
Although the kill switch is welcome, the vulnerability may not be around that much longer, with the issue being assigned a formal Common Vulnerabilities and Exposures number (CVE-2018-1000115) identifying Memcached version 1.5.5 as having an “Insufficient control of Network Message Volume vulnerability in the UDP support of the Memcached server that can result in denial of service via network flood.”
A newly released version of Memchached, 1.5.6, patches the vulnerability, but as with all server-side issues, it requires network administrators to install the latest version to address it.
Image: Memcached
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
