Two Memcached DDoS attacks PoC released

Two Memcached DDoS attacks PoC released

Memcached DDoS attack-a few days after the world's largest DDoS attack reaches 1.7Tbps, two PoC codes for Memcached amplification attacks were published.

The vulnerability behind Memcached DDoS attacks is one of the hottest topics.

The world's largest DDoS attack record lasted for only a few days. Earlier this month, an American service provider suffered a 1.7 Tbps memcached DDoS attack.

Now someone has released two PoC codes. both ends of the code can use Memcached for DDoS amplification attacks, and anyone can use them to launch memcached DDoS attacks.

One PoC code vulnerability is written in the Python script language. The Shodan search engine API is used to obtain the list of vulnerable Memcached servers and then conduct memcached DDoS attacks.

The second vulnerability exploitation code is programmed in C and uses the list of vulnerable Memcached servers. The author also published a memecache-amp-03-05-2018-rd.list file, which is a list of vulnerable memcached servers as.

Dangerous amplification attacks

The first memcached DDoS attack was detected in, when the Code hosting website GitHub was hit by the largest DDoS attack ever, reaching the peak of tbps.

Memcached is a free and open-source high-performance distributed memory cache system designed to accelerate the running of Dynamic Web applications by reducing the database load.

The client communicates with the memcached server through TCP or UDP on port 11211.

To abuse the memcached server, attackers can send requests to the target server through port 11211, disguised as the victim's IP address. In the memcached DDoS attack, requests sent to the server are only several bytes, and the response may be tens of thousands of times larger, resulting in amplification attacks.

Cloudflare experts called the attack Memcrashed, and researchers said the amplification technology may allow attackers to gain a factor of 51.2 thousand.

Cloudflare recommends disabling UDP support and disconnecting the memcached server from the internet unless necessary.

"Developers should stop using UDP. No. Do not enable it by default. If you do not know what the amplification attack is, do not enter 'sock _ dgram' in the editor '. "

This new type of attack is undoubtedly good news for hackers. Someone has begun to use amplification attacks to extort money from the company.

* Reference Source: SecurityAffairs

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151285.htm