Cavalry riding to the rescue of DDoS-deluged memcached users

Attacks tapering, as experts argue over 'kill switch'

17 Reg comments Got Tips?

DDoS attacks taking advantage of ill-advised use of memcached have begun to decline, either because sysadmins are securing the process, or because people are using a potentially-troublesome “kill switch”.

Memcached is a handy caching tool that can improve database performance but has no security controls because it was never intended to be used on internet-exposed systems. In late February attackers started to take advantage of the fact that memcached is a very effective amplifier of UDP messages, since a 15-byte query returns answers that could be hundreds of kilobytes. Attacks on the cache briefly gave GitHub the honour of the biggest ever DDoS attack at 1.3 Tbps, but within days a US service provider took an even bigger hosing.

Last Wednesday, the risks posed by internet-facing memcached processes took on a new colour, when security vendor Corero explained that a debug command could let a remote attacker retrieve, modify, or insert data into a system.

Corero said that there is a kill-switch it is deploying for clients. The flush_all command does exactly what it says: the process drops all the objects in memory, and the attack ends.

Cloudflare and Arbor Networks, warned eWeek they're worried about the ethics and legality of someone firing flush_all at someone else's machine, because changing the contents of a computer you don't own is illegal in many or most jurisdictions.

The attack volumes kept increasing for most of last week. Qihoo 360 last Wednesday said it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.

Those included Qihoo, Google, and Amazon, various smut sites, games, security vendors, various National Rifle Association sites, and Brian Krebs' page.

It seems the slow business of getting memcached hidden behind firewalls is happening at last, however, with no new attacks reported over the weekend. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

MariaDB inhales $25m. 'People tried to get away with simpler' but now there's a 'relational renaissance,' says open-source biz chief

Oracle nemesis will be focusing on SkySQL cloud product

Google forges Open Usage Commons to manage open-source project trademarks, lobs hot-potato Istio at it

Marks for Angular and Gerrit also handled by org designed to provide 'guidance' to industry

UK's Ministry of Justice puts out feelers for SaaS ERP with up to £100m on the table

Can't go worse than that time it bought 2.3 million Oracle licences. Right?

Dell spins up a supported distro of Microsoft’s SONiC open-source switch software

If you want a flat fabric, Dell wants in and is eyeing off NSX integrations too

Roses are red, IBM is Big Blue. It's out of RSA Conference after coronavirus review: IBMers will not attend infosec event over 'health concerns'

Updated Who will join the IT giant in staying away from San Francisco?

Ex-Cloud Foundry boss to pull strings at Puppet as CTO, says open-source software 'evolves faster, is more mature'

Abby Kearns says she will continue to foster OSS culture in new role

Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows

Free-as-in-speech software is wildly popular – keeping libraries, components up to date is not

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

Biting the hand that feeds IT © 1998–2020