Reacting to an announcement from Corero that they discovered a Memcached DDoS attack kill switch, Mounir Hahad, head of threat research at Juniper Networks, commented below.
Mounir Hahad, Head of Threat Research at Juniper Networks:
“This kill switch is unfortunately just a band-aid. It will take an attacker only a few minutes to overcome by replanting the large file in the memcached servers again. It becomes a game of whack-a-mole: the attacker replants the file repeatedly and the good guys try to flush it out again and again. Try doing this on about 100,000 servers at the same time and you’ll realize it’s a cat and mouse chase.
I’ve given this advice over and over, but it bears repeating: There should be no business for these memchached servers to accept connections from the internet. People should be using firewall or routing rules to drop traffic from the internet to these servers, period.
It is very easy to mitigate this kind of amplification: just rate limit the particular port used by this service, 11211, which can be done by any decent firewall. Better yet, reconfigure your network to have memcached only allow connections from the desired servers.”
Ashley Stephenson, CEO at Corero:
“Looking at shodan.io indicates there are many more than just 17,000 Memcached servers that can be used for DDoS attacks. If the vulnerable servers on the list are utilized for attacks they can be neutralized with the kill switch by sending just 17,000 packets, one to each attacking server, neutralizing their DDoS potential until they are reloaded by the attacker which take 10,000 times longer. Corero has announced today that the “flush-all” command can be used as a benign active defense “kill switch” by those being attacked to suppress attacks from the compromised Memcached server.”
