The first DDoS tool is written inwards C programming linguistic communication in addition to plant with a pre-compiled listing of vulnerable Memcached servers.
Bonus—its description already includes a listing of close 17,000 potential vulnerable Memcached servers left exposed on the Internet.
Whereas, the instant Memcached DDoS assault tool is written inwards Python that uses Shodan search engine API to obtain a fresh listing of vulnerable Memcached servers in addition to therefore sends spoofed source UDP packets to each server.
Last calendar week nosotros saw 2 record-breaking DDoS attacks—1.35 Tbps hitting Github in addition to 1.7 Tbps attack against an unnamed US-based company—which were carried out using a technique called amplification/reflection attack.
For those unaware, Memcached-based amplification/reflection assault amplifies bandwidth of the DDoS attacks yesteryear a ingredient of 51,000 yesteryear exploiting thousands of misconfigured Memcached servers left exposed on the Internet.
Memcached is a pop opened upwardly source distributed retention caching system, which came into word before final calendar week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS assault yesteryear sending a forged asking to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.
Influenza A virus subtype H5N1 few bytes of the asking sent to the vulnerable Memcached server tin trigger tens of thousands of times bigger reply against the targeted IP address, resulting inwards a powerful DDoS attack.
Since final calendar week when Memcached has been revealed every bit a novel amplification/reflection assault vector, about hacking groups started exploiting unsecured Memcached servers.
But right away the province of affairs volition become worse with the unloosen of PoC exploit code, allowing anyone to launch massive DDoS attacks, in addition to volition non come upwardly nether command until the final vulnerable Memcached server is patched, or firewalled on port 11211, or completely taken offline.
Moreover, cybercriminals groups cause got already started weaponizing this novel DDoS technique to threaten large websites for extorting money.
Following final week's DDoS assault on GitHub, Akamai reported its customers received extortion messages delivered amongst the typically "junk-filled" assault payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.
Reflection/amplification attacks are non new. Attackers cause got previously used this DDoS assault technique to exploit flaws inwards DNS, NTP, SNMP, SSDP, Chargen in addition to other protocols inwards gild to maximize the scale of their cyber attacks.
To mitigate the assault in addition to preclude Memcached servers from beingness abused every bit reflectors, the best selection is to bind Memcached to a local interface precisely or alone disable UDP back upwardly if non inwards use.
