Over 1400 Memcached server in Vietnam are at risk of becoming botnets

According to statistics from CyStack Security, more than 1400 Memcached servers in Vietnam have dangerous vulnerable with the risk of becoming botnets for large-scale DDoS attacks.

Recently, a large number of DDoS attacks on the Internet have been detected by big network companies for more than 1.7Tbs (a terrible figure for a DDoS attack). To do this, hackers use IP Spoofing in combination with UDP-Based Amplification Attacks by exploiting a problem in Memcached (an open source application, commonly used for caching data for web applications).

As a result of the analysis, there are two major issues that hackers can exploit to perform a DDoS attack (CVE-2018-1000115):

  1. Memcached open an outdated service port – port 11211: By default, when installed, this port will be restricted from external access. But on some Distro Linux or due to an administrative’s misconfiguration, many of these servers open port 11211 and allow external connections without authentication.
  2. Memcached has the ability to amplify packets and spoof IP addresses: Many tests show that a 15 bytes request sent to Memcached’s port 11211 can respond a data up to 750kB (it means that the packet is amplified more than 51,000 times) and hackers can fake source addresses to redirect the entire response to the target victim.

On the other hand, port 11211 is a UDP port, so there is no control mechanism of the number of connections as well as limitation of response data, these weaknesses have been used by hackers thoroughly.

Attack Scenario by exploiting problems in Memcached

Hacker exploit problems in Memcached to perform DDoS attack
Hacker exploit problems in Memcache to perform DDoS attack
  1. Hackers will scan the Internet (E.g. by Shodan.io) to find servers that open port 11211 and run the Memcached service.
  2. The hacker sends the spoofed requests to port 11211 of the Memcached servers list.
  3. These Memcached servers will send the response to the target address, thus creating a very large DDoS attack.

Can my server be compromised by this type of attack?

DDoS attacks can happen with any website / server and you are in no exception. In case you have a server that installed Memcached, you might be part of the botnet that hackers are exploiting. To protect yourself and others, you need to check that whether your server is exploited or not. You can check by one of the following ways:

Option 1: Scan your services from outside

Using nmap, run command nmap TARGET_IP -p 11211 -sU -sS --script memcached-info with TARGET_IP is your IP server.

Unexpected results are as follows:

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-08 18:52 SE Asia Standard Time
Nmap scan report for TARGET_IP
Host is up (0.0019s latency).
 
PORT STATE SERVICE
11211/tcp open memcache
| memcached-info:
| Process ID 32706
| Uptime 26597424 seconds
...

Option 2: Test your port 11211

Administrators can use netcat with the command: echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u TARGET_IP 11211

The servers getting the problem will send the results as follows:

STAT pid 1977
STAT uptime 3527
STAT time 1520510728
...

Statistics in Vietnam

At the time CyStack released this article (March 08, 2018), we have a small statistics on servers located in Vietnam using the Memcached service which can become bots in DDoS attack campaigns. The results show that:

  • There are 2529 servers that use memcached and open port 11211 public.
  • There are 1482 of them (58%) are at risk of being bot in botnet of hackers.

How to protect myself

  • Currently, Memcached has released new version 1.5.6 to fix this problem, which deactivates the default port 11211.
  • In case of not updating Memcached by reason of affecting the service, you can use the firewall to close port 11211 or deactivate this port.
  • Using CyStack Scanning app to detect vulnerability on your server.