{"id":11649,"date":"2018-03-03T09:00:05","date_gmt":"2018-03-03T17:00:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/03\/news-5420\/"},"modified":"2018-03-03T09:00:05","modified_gmt":"2018-03-03T17:00:05","slug":"news-5420","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/03\/03\/news-5420\/","title":{"rendered":"Our Exposed World \u2013 Old exposures, new attacks"},"content":{"rendered":"

Credit to Author: Natasha Hellberg (Senior Threat Researcher)| Date: Sat, 03 Mar 2018 16:28:01 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Natasha Hellberg, Senior Threat Researcher FTR<\/p>\n

With assistance from William Gamazo Sanchez, DSLabs<\/em><\/strong><\/p>\n

Within the last few days a new player has been introduced into the distribute denial of service (DDoS) amplification attack world and with it brings the potential for much larger DDoS attacks than what we have seen in the past. While most of us think DNS, UpNP\/SDP and NTP when we think of protocols that are used in DDoS, memcache<\/strong> has emerged as just as potent of a protocol by which to commit these kinds of attacks. Memcache<\/a> is a protocol meant to allow for the quick storage and retrieval of data from a server, without all the messy overhead of a database on the back end. Unfortunately, it also has recently been discovered that it makes a great source of amplification and reflection for DDoS.<\/p>\n

Within the last few days, Cloudflare<\/a> and Github<\/a> have become the first victims of this new DDoS amplification method. In the case of Github, their network telemetry from Akamai<\/a> indicates at least one wave of the attack hit over 1.35Tbps inbound at their servers:<\/p>\n

\"\"<\/p>\n

Figure 1: From https:\/\/githubengineering.com\/DDoS-incident-report\/<\/em><\/p>\n

Now keep in mind that some of this traffic isn\u2019t attack traffic per se, but additional overhead from networking (handshaking attempts, etc.), in the end it still holds a significant punch. Just to put this in perspective, according to the Akamai SIRT, this attack was twice the size of what was seen for the Mirai<\/a> attacks in Sept 2016.<\/p>\n

Using memcached is actually pretty easy. You send it a key, it sends you back the data associated with that key. And an added benefit is being able to put as many queries into a single request as you\u2019d like.<\/p>\n

\"\"<\/p>\n

Figure 2:Creating a memcache attack<\/em><\/p>\n

In the current attacks, the attackers are making GETS requests against the memcache service to grab whatever data they can on existing keys (steps 3 & 4 in figure 2); however, in many cases the memcache servers are not secured and also allow SET commands (aka putting data INTO the memcache server).\u00a0 The bad actors can use this to set a key to the maximum data blob allowed, and then make their GETS query to that specific key (steps 1-4 in Figure 2) to maximize the size of their reflection attack against the victim.<\/p>\n

While memcache can be installed both in TCP (natively) and UDP, these attacks will be primarily found on UDP Port 11211 as the UDP protocol allows for much easier spoofing of the source address, making it more attractive for reflection type DDoS attacks.<\/p>\n

Of the 120,458 (at the time of writing of this blog) memcache servers globally, there are just under 10k servers running memcache on UDP according to Shodan. It is more interesting to note that almost one third of these are being seen in active attacks already<\/u>.<\/p>\n

\"\"<\/p>\n

Now, a key factor in the amplification value of memcache has to do with the data blob returned. Generally speaking, the max byte size for these is relatively small, but in some hosting provider space it can be seen that their memcache configuration allows for much larger data blobs (in some cases over 100G), thus increasing their value in a DDoS amplification attack.<\/p>\n

This being said, there are a number of caveats and limitations to the size these attacks might grow to. First and foremost, they are inhibited by the links attached to memcached server being used to reflect the attack. A 1Gbps link is only ever going to send 1Gbps no matter how big of a data blob is created by the attack. Ditto for the network card. And finally, the protocol only allows for two eight byte network sequence number<\/a>s (the data blob has to be broken into pieces to be sent across the internet \u2013 the sequence numbering allows the other end to know how to put it all back together again (like humpty dumpty!). But with only two bytes that means the maximum number of packets the protocol can return is 65,536 and even I can do the math to say the max size of a single packet is 1428<\/a>, so that the total volume can only ever be 93.58 megabytes, transmitted across the link speed of the server being reflected off of. Or in other words, as a much wiser colleague pointed out \u2013 the request \/ GETS part can be super large, but it then becomes capped because of the limitations of the packet sequencing. This also begs the question, how does memcached handle data blobs that require sequencing higher than its standard allows for, since handling of these packets does not appear to be specified in the protocol.\u00a0 Its these questions that I would love more information on.<\/p>\n

So, in the end, is the sky falling? Will the internet bottom out? No.\u00a0 Notwithstanding we are still in the early days of understanding the technical potential of this new attack vector, even with NDP, SSDP, and DNS amplification attacks we did not see a constant barrage of large scale DDoS attacks, and it is unlikely to be the case with memcached either. However, will we see a growth in the size of DDoS attacks when they happen? In all likelihood, yes. As such, just like with other denial of service attacks, here\u2019s what you should do:<\/p>\n\n\n\n\n
<\/td>\n\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n

As part of looking into this attack vector, several members of the security community assisted. I would like to say thanks to these folks, along specifically with both Damien Menscher<\/strong> of Google<\/strong> for his assistance in understanding the protocol and interaction as attack traffic, and John Matherly <\/strong>of Shodan <\/strong>for assistance with assessing the global impact.<\/em><\/p>\n<\/p><\/div>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Natasha Hellberg (Senior Threat Researcher)| Date: Sat, 03 Mar 2018 16:28:01 +0000<\/strong><\/p>\n

\"\"Natasha Hellberg, Senior Threat Researcher FTR With assistance from William Gamazo Sanchez, DSLabs Within the last few days a new player has been introduced into the distribute denial of service (DDoS) amplification attack world and with it brings the potential for much larger DDoS attacks than what we have seen in the past. While most…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[714],"class_list":["post-11649","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11649"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11649\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}