New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UDP Amplification Attacks, result of Memcached UDP port 11211 #348

Closed
swiftnode-linden opened this Issue Feb 27, 2018 · 11 comments

Comments

Projects
None yet
6 participants
@swiftnode-linden
Copy link

swiftnode-linden commented Feb 27, 2018

2439472

The above commit has resulted in the ability to spoof a victim address to public memcache servers around the world, resulting in a massive amount of data returned from the memcache service. (to the victim)

Simple example:
https://blog.cloudflare.com/content/images/2018/02/spoofing.png

These attacks appear to be ranging anywhere from 25Gbps to over 250Gbps.

This has been confirmed on the backlines by many providers, as well as publicly by Cloudflare, and Rapid7.

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211
https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/

@dormando

This comment has been minimized.

Copy link
Member

dormando commented Feb 28, 2018

@Viper007Bond

This comment has been minimized.

Copy link

Viper007Bond commented Mar 2, 2018

For those interested, the commit to disable UDP by default was dbb7a8a.

@XuYuanzhen

This comment has been minimized.

Copy link

XuYuanzhen commented Mar 2, 2018

6158     printf("-p, --port=<num>          TCP port to listen on (default: 11211)\n"
6159            "-U, --udp-port=<num>      UDP port to listen on (default: 11211, 0 is off)\n"

the comment of HELP is still not fixed in memcached.c , the latest version 1.5.6 of memcached

@dormando

This comment has been minimized.

Copy link
Member

dormando commented Mar 2, 2018

@XuYuanzhen Thanks! Fixed in the 'next' tree for the next release.

@kurtseifried

This comment has been minimized.

Copy link

kurtseifried commented Mar 3, 2018

This is CVE-2018-1000115 which should be in the CVE database hopefully by Monday.

CVEProject/cvelist#338

@santiandres33

This comment has been minimized.

Copy link

santiandres33 commented Mar 11, 2018

@XuYuanzhen sorry if i understood wrongly, but by disabling the UDP on the victims webserver, will not be vulnerable to the attacks???

@swiftnode-linden

This comment has been minimized.

Copy link
Author

swiftnode-linden commented Mar 11, 2018

@XuYuanzhen Disabling UDP for memcache (or firewalling the port 11211) will mean that your server is not used as a "zombie" in an attack.

This is a reflection attack, see the diagram I posted in the thread opener.

If you're being attacked by a bunch of public memcache servers, the only solution you have is getting your provider to mitigate the attack.

@santiandres33

This comment has been minimized.

Copy link

santiandres33 commented Mar 11, 2018

@swiftnode-linden, tanks for clarifying it. I might be attacked, I have close relationship with my isp, any advice for me to tell him?

@swiftnode-linden

This comment has been minimized.

Copy link
Author

swiftnode-linden commented Mar 11, 2018

@santiandres33 If the attacks you're receiving are small (eg. <10Gbps), mitigating the attack may be possible by your ISP if they have a way to drop all traffic originating from udp source port 11211 prior to it reaching your servers/computer.

But If we're talking about a residential ISP, your chances of mitigating an attack like this are pretty slim. Their best bet is likely just to nullroute your IP and move on.

The attacks we saw were over 200Gbps, we had to leverage an upstream provider to help mitigate. Even most large providers can't deal with an attack of this size. And the ones that do have the capacity generally aren't going to just eat a large attack unless you have some serious cash.

You have a few "external" options, you can pipe in mitigation from a provider like Voxility or Prolexic, both definitely have the capacity and the ability to filter attacks of that size. (Think GRE/IPIP Tunnels)

@XuYuanzhen

This comment has been minimized.

Copy link

XuYuanzhen commented Mar 12, 2018

@santiandres33 Because the DDoS Reflection Amplification Attack used by UDP protocol. The UDP is unreliable ,consequently the attacker can spoof the source IP. And the old versions of memcached open UDP 11211 by default,memcached could increase the received UDP packets almost twenty to fifty thousand times. You can disable the UDP 11211 by -U 0 , even
you can use uRPF(Unicast Reverse Path Forwarding)to forbid the source IP sproof.

@dormando

This comment has been minimized.

Copy link
Member

dormando commented May 9, 2018

closing this out. I think it's been talked about widely enough.

@dormando dormando closed this May 9, 2018

@memcached memcached locked as resolved and limited conversation to collaborators May 9, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.