Security researchers have discovered a “kill switch” in which could help companies protect their websites under massive DDoS attack launched using vulnerable Memcached servers.
Massive Memcached reflection DDoS attacks with an unprecedented amplification factor of 50,000 recently resulted in some of the largest DDoS attacks in history.
To make matter even worse, someone released proof-of-concept (PoC) exploit code for Memcached amplification attack yesterday, producing This particular easier for even script kiddies to launch massive cyber attacks.
Despite multiple warnings, more than 12,000 vulnerable Memcached servers with UDP support enabled are still accessible on the Internet, which could fuel more cyber attacks soon.
However, the not bad news can be in which researchers through Corero Network Security found a technique using which DDoS victims can send back a simple command, i.e., “shutdownrn”, or “flush_allrn”, in a loop to the attacking Memcached servers in order to prevent amplification.
Where, the flush_all command simply flush the content (all keys in addition to their values) stored inside cache, without restarting the Memcached server.
The company said its kill-switch has efficiently been tested on live attacking Memcached servers in addition to found to be 100% effective, in addition to has already been disclosed to national security agencies.
Stealing Sensitive Data through Memcached Servers
What’s more? Corero Researchers also claimed in which the Memcached vulnerability (CVE-2018-1000115) can be more extensive than initially reported, in addition to can be exploited beyond leveraging This particular for a DDoS attack.
Without revealing any technical detail, the company said the Memcached vulnerability could also be exploited by remote attackers to steal or modify data through the vulnerable Memcached servers by issuing a simple debug command.
Dynamic database-driven websites use a Memcached application to improve their performance by caching data in addition to objects inside RAM.
Since Memcached has been designed to be used without logins or passwords, attackers can remotely steal sensitive user data This particular has cached through its local network or host without requiring any authentication.
The data may include confidential database records, emails, website customer information, API data, Hadoop information in addition to more.
“By using a simple debug command, hackers can reveal the ‘keys’ to your data in addition to retrieve the owner’s data through the some other side of the earth,” the company said. “Additionally, This particular can be also possible to maliciously modify the data in addition to re-insert This particular into the cache without the knowledge of the Memcached owner.”
Server administrators are strongly advised to install the latest Memcached 1.5.6 type which disables UDP protocol by default to prevent amplification/reflection DDoS attacks.