Dale Drew

Memcached: Thinking beyond the kill switch, and inside the net

Just as the shock over the two largest DDoS attacks shattered previous records within a week, a new idea is starting to gain traction: there’s a kill switch for Memcached-based DDoS attacks.

For those who were just skimming the headlines last week, Memcached-based DDoS attacks leverage certain configurations in internet-accessible memcached servers used by some of the largest social media platforms and other global businesses to provide globally responsive and dynamic web applications.

Of the two types of attacks that are of particular concern to the security industry – amplification-based attacks and peer-to-peer botnets – the amplification-based Memcached is taking center stage because its record-breaking attacks of 1.3 Tbps and 1.7 Tbps were, until quite recently, of once unfathomable size.

Here’s how they work: a bad actor sends a message to an application on the internet in such a way as to trigger a much larger response – with all the response traffic directed at a victim. This tactic affords bad actors the ability to run very large DDoS attacks without owning much network infrastructure because they are relaying the attack through other people’s machines on the internet – in this case, memcached servers owned by content providers all over the globe.

Making matters worse, the source code for a Memcached attack was released into the wild, granting even the most amateur hackers the potential to launch similar large-scale attacks.

The bad news

When the idea of a kill switch for Memcached was raised, the news spread like wildfire. After all, it was a kill switch that stopped WannaCry, last year’s notorious ransomware targeting health systems in the U.K., dead in its tracks. For WannaCry, the kill switch involved registration of a certain domain name. In the case of Memcached, the kill switch involves sending back a particular command to stop or flush the Memcached traffic.

The problem is, in the U.S. anyway, using this kill switch is illegal. Memcached servers belong to legitimate users on the internet. To trigger the kill switch, you must send a command to clear the cache on these servers. In so doing, you’d essentially be accessing someone else’s computer and disrupting the operation of the server and the data without their knowledge or permission.  

The good news

When Memcached first arose, DDoS mitigation providers like CenturyLink updated their scrubbing solutions to successfully recognize and mitigate Memcached attacks. Still, the size and scope of Memcached grew: few cloud-based DDoS providers have the capacity to scrub the incredible volumes of traffic we’re seeing with this new attack type. With roughly 88,000 vulnerable servers on the internet and an amplification rate of 58x, it became apparent that to thwart its explosive growth, traffic scrubbing, alone, would not suffice.

 Thankfully, this is where network shows an inherent advantage. By identifying the trigger signature, CenturyLink and other network service providers can filter Memcached attack traffic out of the network. What’s more, they can deploy traffic controls, as CenturyLink did, to prevent attack traffic from ever traversing the network or using it to launch an additional attack, providing a unique and significant advantage in stopping industry-wide DDoS attacks and impairments. 

Eyes open

While we’ve seen an increase in the size and frequency of DDoS attacks because of Memcached, we are working with the security research community to continue to track and abate them to the benefit of us all. Tomorrow, we’ll face a new challenge, which is why we must continue to collaborate: it takes a village to protect the internet and each of us must do our part.