DDoS attacks taking advantage of ill-advised use of memcached have begun to decline, either because sysadmins are securing the process, or because people are using a potentially-troublesome “kill switch”.
Memcached is a handy caching tool that can improve database performance but has no security controls because it was never intended to be used on internet-exposed systems. In late February attackers started to take advantage of the fact that memcached is a very effective amplifier of UDP messages, since a 15-byte query returns answers that could be hundreds of kilobytes. Attacks on the cache briefly gave GitHub the honour of the biggest ever DDoS attack at 1.3 Tbps, but within days a US service provider took an even bigger hosing.
Last Wednesday, the risks posed by internet-facing memcached processes took on a new colour, when security vendor Corero explained that a debug command could let a remote attacker retrieve, modify, or insert data into a system.
Corero said that there is a kill-switch it is deploying for clients. The
flush_all command does exactly what it says: the process drops all the objects in memory, and the attack ends.
Cloudflare and Arbor Networks, warned eWeek they're worried about the ethics and legality of someone firing
flush_all at someone else's machine, because changing the contents of a computer you don't own is illegal in many or most jurisdictions.
The attack volumes kept increasing for most of last week. Qihoo 360 last Wednesday said it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.
Those included Qihoo, Google, and Amazon, various smut sites, games, security vendors, various National Rifle Association sites, and Brian Krebs' page.
It seems the slow business of getting memcached hidden behind firewalls is happening at last, however, with no new attacks reported over the weekend. ®