Memcached DDoS Exploit Code and List of Vulnerable Servers Published Online

Two separate proofs-of-concept (PoC) exploit code for Memcached amplification attack have been released online that could allow even script-kiddies to launch massive DDoS attacks using UDP reflections easily.

The first DDoS tool is written in C programming language and works with a pre-compiled list of vulnerable Memcached servers.

Bonus—its description already includes a list of nearly 17,000 potential vulnerable Memcached servers left exposed on the Internet.

Whereas, the second Memcached DDoS attack tool is written in Python that uses Shodan search engine API to obtain a fresh list of vulnerable Memcached servers and then sends spoofed source UDP packets to each server.

Last week we saw two record-breaking DDoS attacks—1.35 Tbps hit Github and 1.7 Tbps attacks against an unnamed US-based company—which were carried out using a technique called amplification/reflection attack.

For those unaware, Memcached-based amplification/reflection attack amplifies bandwidth of the DDoS attacks by a factor of 51,000 by exploiting thousands of misconfigured Memcached servers left exposed on the Internet.

Memcached is a popular open source distributed memory caching system, which came into news earlier last week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim’s IP.

A few bytes of the request sent to the vulnerable Memcached server can trigger tens of thousands of times bigger response against the targeted IP address, resulting in a powerful DDoS attack.

For a detailed explanation on how Memcached amplification attack works, you can head on to our previous article.

Since last week when Memcached has been revealed as a new amplification/reflection attack vector, some hacking groups started exploiting unsecured Memcached servers.

But now the situation will get worse with the release of PoC exploit code, allowing anyone to launch massive DDoS attacks, and will not come under control until the last vulnerable Memcached server is patched, or firewalled on port 11211, or completely taken offline.

Moreover, cybercriminals groups have already started weaponizing this new DDoS technique to threaten big websites for extorting money.

Third proofs-of-concept (PoC) exploit Released

At the time of writing this article we were made aware of a third PoC exploit, small enough to fit in a tweet

Following last week’s DDoS attack on GitHub, Akamai reported its customers received extortion messages delivered alongside the typically “junk-filled” attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.

To mitigate the attack and prevent Memcached servers from being abused as reflectors, the best option is to bind Memcached to a local interface only or entirely disable UDP support if not in use.

Credit: Thehackernews
CEH Course In pune | Slink

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *