Investigadores da Cloudflare, Arbor Networks, e da forma Chinesa Qihoo 360 descrevem que os hackers têm abusado nos últimos dias do MemCached de forma a amplificarem ataques DDoS a larga escala.
O Memcached é um sistema de cache distribuído e que permite que os objetos sejam armazenados na memória e sejam projetados para funcionar com um grande número de conexões abertas. O servidor Memcached é executado na porta TCP ou UDP 11211. Este sistema foi desenhado sobre tudo para reduzir a carga do servidor.
Apontado pela Cloudflare, o ataque, aparentemente, abusa de servidores Memcached desprotegidos que possuem UDP ativado para entregar ataques DDoS 51.200 vezes a sua força original, tornando-se o método de amplificação mais proeminente usado até aos dias de hoje.
Like other amplification methods where hackers send a small request from a spoofed IP address to get a much larger response in return, Memcrashed amplification attack also works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim’s IP.
“15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we’ve seen a 15-byte request result in a 750kB response (that’s a 51,200x amplification),” Cloudflare says.
Como mitigar este problema?
Limitar o fluxo de tráfego no porto do Memcached (11211).
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.