Memcached Memcrashed - Major amplification attacks from UDP port 11211

pamamolf · Feb 28, 2018

Over last couple of days we've seen a big increase in an obscure amplification attack vector - using the memcached protocol, coming from UDP port 11211.

In the past, we have talked a lot about amplification attacks happening on the internet. Our most recent two blog posts on this subject were:

SSDP amplifications crossing 100Gbps. Funnily enough, since then we were a target of an 196Gbps SSDP attack.

General statistics about various amplification attacks we see.

The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources - most typically the network itself.

Amplification attacks are effective, because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) "amplifying" the attacker's bandwidth.

Memcrashed
Obscure amplification attacks happen all the time. We often see "chargen" or "call of duty" packets hitting our servers.

A discovery of a new amplification vector though, allowing very great amplification, happens rarely. This new memcached UDP DDoS is definitely in this category.

The DDosMon from Qihoo 360 monitors amplification attack vectors and this chart shows recent memcached/11211 attacks:

More info here:

Memcrashed - Major amplification attacks from UDP port 11211

pamamolf · Feb 28, 2018

New version is out that fixes that issue:

Memcached 1.5.6 Release Notes:

Overview
This is a bugfix release, but it primarily disables the UDP protocol by default.

In the last few days reports of UDP amplification attacks utilizing inesure memcached instances have surfaced. Attackers are able to set large values into memcached, then send requests via spoofed UDP packets. Memcached will then send a very large number of very large UDP packets back in response.

12 years ago, the UDP version of the protocol had more widespread use: TCP overhead could be very high. In the last few years, I've not heard of anyone using UDP anymore. Proxies and special clients allow connection reuse, which lowers the overhead. Also, RAM values are so large that TCP buffers just don't add up as much as they used to.

That said, I don't have any way of knowing how many UDP installations there are. Everyone who uses UDP and upgrades past this version, will find the UDP protocol disabled unless they explicitly enable it via -U 11211. Hopefully this one-time pain is acceptable.

Thanks for everyone who reached out in the last couple days to help understand the problem and coordinate patches sent to linux and BSD distro's.

Fixes:

disable UDP port by default

systemd instancing support & rpm build improvements

fix gcc warnings in beta GCC

fix build with clang

fix for dtrace compilation on freebsd

eva2000 · Feb 28, 2018

Thanks for heads up. FYI, by default Centmin Mod 123.09beta01's CSF Firewall blocks port 11211 out of the box unless you whitelist it yourself. Also Memcached is set to listent to localhost/127.0.0.1 so won't response to public requests anyway.

Centmin Mod users can update Memcached as per instructions at Memcached - Memcached Server 1.5.6 Update Available

buik · Feb 28, 2018

Wonder if Red hat is gonna patch Memcached EL6 and 7
upstream as both are vulnerable if you call it that way as the UDP protocol is enabled by default.

eva2000 · Feb 28, 2018

Yeah you'd hope so. I haven't used memcached provided by redhat/centos yum repos in years. I also build or compile my own memcached binaries

Revenge · Mar 1, 2018

Issue in Vpsdime Dallas location because of this:

Dallas network issues
Wednesday, 28 February 2018, 10:49 - We're investigating a Dallas connectivity issue. We'll update this announcement as we have more information. This is a network issue. We are experiencing high package loss. Our datacenter is working on the issue.

Wednesday, 28 February 2018, 11:41 - Root cause has been determined: outbound network attacks from insecure memcached installations. We're looking at how to adjust them now.

Wednesday, February 28, 2018
Click to expand...

eva2000 · Mar 1, 2018

Whoops.. this is going to bite alot of folks who don't actually use a firewall on their server ! Luckily, Centmin Mod out of box uses CSF Firewall

Revenge · Mar 1, 2018

eva2000 said: ↑

Whoops.. this is going to bite alot of folks who don't actually use a firewall on their server ! Luckily, Centmin Mod out of box uses CSF Firewall
Click to expand...

Yes, a firewall or a proper iptables configuration.

Meanwhile, Vpsdime updated their report and closed 11211 port for outbound connections.

[SOLVED] Dallas network issues
Wednesday, 28 February 2018, 10:49 - We're investigating a Dallas connectivity issue. We'll update this announcement as we have more information. This is a network issue. We are experiencing high package loss. Our datacenter is working on the issue.

Wednesday, 28 February 2018, 11:41 - Root cause has been determined: outbound network attacks from insecure memcached installations. More info here: Memcrashed - Major amplification attacks from UDP port 11211 We're looking at how to adjust them now.

Wednesday, 28 February 2018, 12:28 - This has been mitigated, root cause was a new memcached amplification attack. If you're still seeing connectivity issues, or truly need internet-accessible memcached access for some reason, please ticket in.

Wednesday, February 28, 2018
Click to expand...

Matt · Mar 2, 2018

I'm working on a server now, and has Memcached that was listening on 127.0.0.1 TCP and UDP, and when I nmap the server, it's showing OPEN/FILTERED, even though port 11211 is blocked by CSF.
Code:
nmap TARGET -p 11211 -sU -sS --script memcached-info

Starting Nmap 6.40 ( http://nmap.org ) at 2018-03-01 19:24 UTC
Nmap scan report for TARGET
Host is up (0.12s latency).
PORT      STATE         SERVICE
11211/tcp filtered      unknown
11211/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.74 seconds
When I try my own:
Code:
nmap TARGET -p 11211 -sU -sS --script memcached-info 

Starting Nmap 6.40 ( http://nmap.org ) at 2018-03-01 19:17 UTC
Nmap scan report for TARGET
Host is up (0.018s latency).
PORT      STATE  SERVICE
11211/tcp closed unknown
11211/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Exactly same Memcached version and config. Only difference is mine are CentOS7, and the one showing open is CentOS6.9

Tried another CentOS6.9 server, and it's reporting OPEN/FILTERED again, even though it's blocked by CSF and only listening on 127.0.0.1

Matt · Mar 2, 2018

Just seen the updated to 1.5.6 as well (which these servers are all running)

# rpm -qa | grep memcached
memcached-1.5.6-1.el6.remi.x86_64

eva2000 · Mar 2, 2018

Yeah apparently Github was hit with this February 28th DDoS Incident Report 1.35Tbps attack !

The incident
Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.
Click to expand...

eva2000 · Mar 2, 2018

Matt said: ↑

Tried another CentOS6.9 server, and it's reporting OPEN/FILTERED again, even though it's blocked by CSF and only listening on 127.0.0.1
Click to expand...

that's strange these are all fresh Centmin Mod installs ? you double checked /etc/csf/csf.conf doesn't open port 11211 ?

Matt · Mar 2, 2018

eva2000 said: ↑

that's strange these are all fresh Centmin Mod installs ? you double checked /etc/csf/csf.conf doesn't open port 11211 ?
Click to expand...

No, these aren't centmin. However, csf only has 3 udp ports open, and even with memcached updated to 1.5.6 and not even posting a listen down to udp 11211 they still report the same. Always CentOS6

eva2000 · Mar 2, 2018

Matt said: ↑

No, these aren't centmin. However, csf only has 3 udp ports open, and even with memcached updated to 1.5.6 and not even posting a listen down to udp 11211 they still report the same. Always CentOS6
Click to expand...

so to clarify nmap reports 11211 open even with memcached 1.5.6 updated and ports blocked from public on both centmin mod installs and non-centmin mod installs that use centos 6.x ? or just non-centmin mod installs with centos 6.x ?

Matt · Mar 2, 2018

I'm just updating a CentOS6.9 Centminmod install now with 1.5.6 and will report back shortly.

Matt · Mar 2, 2018

1.5.6 Remi install on 6.9

Code:

# netstat -nlp | grep 11211             
tcp        0      0 127.0.0.1:11211             0.0.0.0:*                   LISTEN      2531/memcached

Code:

PORT      STATE         SERVICE
11211/tcp filtered      unknown
11211/udp open|filtered unknown

1.5.6 on Centminmod 6.9

Code:

# netstat -nlp | grep 11211   
tcp        0      0 127.0.0.1:11211             0.0.0.0:*                   LISTEN      31241/memcached

Code:

Host is up (0.088s latency).
PORT      STATE    SERVICE
11211/tcp closed   unknown
11211/udp filtered unknown

1.5.3 remi on CentOS7

Code:

# netstat -nlp | grep 11211 
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      1102/memcached     
udp        0      0 127.0.0.1:11211         0.0.0.0:*                           1102/memcached

Code:

Host is up (0.018s latency).
PORT      STATE  SERVICE
11211/tcp closed unknown
11211/udp closed unknown

CSF on ALL the servers

Code:

# Allow incoming UDP ports
UDP_IN = "20,21,53"

eva2000 · Mar 2, 2018

I checked on my Centmin Mod CentOS 6.9 installs and even Memcache 1.5.2-1.5.4 are reported closed as open|filtered in nmap due to CSF Firewall.

edit: wait might have read that incorrectly - state = open|filtered versus closed

Port Scanning Basics | Nmap Network Scanning

The six port states recognized by Nmap

open
An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.

closed
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.

filtered
Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

unfiltered
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

open|filtered
Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

closed|filtered
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
Click to expand...

Matt · Mar 2, 2018

I've ran a TCPDUMP on 11211 UDP when doing an nmap, and it's not getting to the packet capture, so it's being dropped / not responded to (as expected).

Code:

open|filtered

Nmap places ports in this state when it is unable to determine whether 
a port is open or filtered. This occurs for scan types in which open
ports give no response. The lack of response could also mean that a
packet filter dropped the probe or any response it elicited. So Nmap
does not know for sure whether the port is open or being filtered. The
UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

eva2000 · Mar 2, 2018

came to same conclusion open|filtered for our purposes just means = filtered or closed = ok

Matt · Mar 2, 2018

Had 2 customers with HiVelocity receive the same mail from them today

Hello,

Please investigate the following ABUSE COMPLAINT shown below related to activity on your server IP ADDRESS and promptly take appropriate action. Abuse Cases can often lead to collateral damage to our network and/or null routing of servers so it is CRITICAL WE HEAR FROM YOU QUICKLY on this. We are here to help you so please let us know if you require assistance.

So we can most efficiently resolve this issue, document the corrective action and close this case, we require all correspondence on this issue be within the Abuse Case located at myVelocity. If you have questions or need our assistance please just let us know within this same ticket.

You can review our Acceptable Use Policy at SLA & Legal Documents - Hivelocity Hosting

###############################################

A public-facing device on your network, running on IP address IP ADDRESS appears to operate an unsecured memcached instance responding on port 11211 that participated in a large-scale attack, generating UDP responses to spoofed requests that claimed to be from the attack target.

Please consider reconfiguring this server in one or more of these ways:

Adding a firewall rule to block all access to this host's UDP port 11211 at your network edge.

Adding firewall rules to allow connections to this service (on UDP port 11211) from authorized endpoints but block connections from all other hosts.

Adjusting the memcached instance to only listen on the local interface (localhost). To do this, you may need to follow these directions:

On CentOS/RHEL,

a. Open /etc/sysconfig/memcached in your favorite text editor. b. Change the line currently reading OPTIONS="" to OPTIONS="-l 127.0.0.1" c. Save the file and exit the editor. d. Restart memcached with this command: /etc/init.d/memcached restart

On Ubuntu/Debian,

a. Open /etc/memcached.conf in your favorite text editor. b. Locate the line containing the -l parameter and adjust it to read “-l 127.0.0.1”. If there is no line with a -l parameter, add one at the end of the file. c. Save the file and exit the editor. d. Restart memcached. To do this, you may need to use command “service memcached restart” or “systemctl restart memcached” depending on your version of Ubuntu.

###############################################

Thank you,
Click to expand...

Both of these servers have CSF installed and active with only the 3 default ports allowed for UDP.

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

Memcached Memcrashed - Major amplification attacks from UDP port 11211

pamamolf Premium Member Premium Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Matt Well-Known Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

Memcached Memcrashed - Major amplification attacks from UDP port 11211

pamamolf Premium Member Premium Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Matt Well-Known Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

.