Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of using Memcached server to implement reflective DDoS attacks in CNCERT. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

There is a significant increase in the number of events that use memcached servers to implement reflection DDOS attacks. In view of this situation, CNCERT immediately carried out tracking and analysis, and monitoring found that memcached reflection attacks have been active in China since February 21, 2018, and the attack traffic on March 1 has exceeded that of traditional reflection attacks on SSDP and NTP, and the peak traffic reached 1.94Tbps at about 02:30 on March 1. As memcached reflection attacks are understood and mastered by hackers, it is predicted that more such attacks will occur in the near future. The relevant information is hereby announced as follows:

1. Basic principles of memcached reflection attack

The memcached reflection attack takes advantage of the authentication and design defects of a large number of memcached servers (a distributed cache system) exposed on the Internet. by sending specific instruction UDP packets (stats, set/get instructions) falsifying the victim's IP address to the default port 11211 of the memcached server's IP address, the attacker causes the memcached server to reflect back data several times larger than the original packet to the victim's IP address (up to 50,000 times in theory). Through continuous tracking and observation, the average magnification of attack traffic is about 100 times), so as to carry out reflection attacks.

2. Recent trend of memcached reflection attack traffic in China

The peak traffic of memcached reflection attack reached 1.94Tbps at 02:30 in the morning on March 1, and the attack traffic from 2 to 3, 7, 9, 15:00, 20:00 and 23:00 exceeded 500Gbps.

3. Server distribution of open memcached services

CNCERT sampling monitoring found that there were 72100 IP addresses of servers with open memcached services, including 53200 in China and 18900 abroad. Among them, the distribution of servers with open memcached services in China is shown in the following table:

Open memcached service server IP quantity server IP province 7109 Guangdong 6781 Zhejiang 4737 Henan 4417 Beijing 4335 Shandong 3130 Hunan 2473 Jiangsu 1986 Hebei 1821 Shanghai 1512 Sichuan 1410 Shaanxi 1346 Liaoning 1316 Inner Mongolia 116516Jilin 1012Fujian 840Heilongjiang Shanxi 768Anhui 5139 other provinces

1. It is recommended that the competent authorities, security agencies and basic telecommunications enterprises promote the disposal of memcached servers in China, especially the memcached servers that have recently been used to launch DDoS attacks:

1) configure firewall policy on the memcached server or its connected network devices to allow only authorized business IP addresses to access the memcached server to block illegal access.

2) change the listening port of the memcached service to a large port other than 11211 to avoid malicious exploitation of the default port.

3) upgrade to the latest memcached software version, configure access control policies such as SASL authentication (add-enable-sasl option when compiling and installing memcached programs, and add-S parameter when starting memcached service programs, enable SASL authentication mechanism to improve the security of memcached).

2. It is recommended that basic telecom enterprises, cloud service providers and IDC service providers limit, limit and block UDP traffic whose source port or destination port is 11211 in backbone network, metropolitan area network and IDC entrances and exits, and notify and dispose of the IP of users who are used to launch memcached reflection attacks.

3. It is suggested that the relevant units should touch and arrange other server resources (such as NTP servers and SSDP hosts) that may be used to launch large-scale reflection attacks, so as to prevent and deal with such reflection attacks.

CNCERT will closely monitor and follow the development and evolution of memcached reflection attacks and keep them informed.

The above is an example analysis of using Memcached server to implement reflective DDoS attacks in CNCERT. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.