Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze the trend of Memcached DRDoS attacks. Many people may not know much about it. In order to let everyone know more, Xiaobian summarized the following contents for everyone. I hope everyone can gain something according to this article.

I. Overview

Reflective attacks based on Memcached services, due to their 50,000-fold reflection ratio, have become the "new favorite" of the DDoS attack community since their inception. On February 28, 2018, GitHub suffered a Memcached DRDoS attack with 1.35T. At present, based on the efforts of safety experts and relevant agencies, the available reflection sources have been gradually reduced. Attackers are also gradually updating their attack methods to avoid censorship, and the following highlights Memcached DDoS attack trends and some new Memcached DRDoS attack methods.

II. Attack trends

Memcached DRDoS attacks have been increasing since February 25, accounting for only 5% of total attacks in early March, gradually exceeding 10% since mid-March, and now fluctuating between 10% and 20%, increasing to 30% in the latest week.

3. Magnifying Magic Power 50,000 Times

CF published an article in February saying that it detected 15-byte packets sent and 750-kilobyte packets received. Thus, the reflection factor is calculated to be 51200 times.

CF proposed 50,000 times is only calculated according to the ratio of response data to request data, but DDoS attacks consume network bandwidth resources, so the real amplification factor must consider the actual network data flow length of the data packet.

IEEE 802.3 Note 1 specifies Ethernet packets:

According to the 802.3 specification, a packet travels on the network, occupying a length range of 84 to 1542. The above transmission 15 bytes, the actual network packet occupancy should be 84 bytes, the reception 1400 bytes, the actual network packet occupancy should be 1466 bytes. Because a complete UDP packet is sent, the actual length of the packet sent to the network will contain the protocol header, including 14 (Ethernet header)+20 (IP header)+8 (UDP header)+4 (FCS)+ 20(frame gap)= 66 bytes.

Recalculated according to CF's detected data:

The network traffic generated by 750 bytes reaches: 750*1024/1400*1466 = 804205.7

The actual reflection multiple is: 804205/84 = 9573.9 times.

It can be seen that the calculation method is different, and the magnification difference is so large that it has changed from 50,000 times to less than 10,000 times. However, no matter what the gap, it will not affect Memcached reflection attack to become the TOP 1 of DRDOS.

Of course, even if the magnification is calculated carefully, there are still cases of further amplification of such attacks.

increase reflection multiple

Memcached's value defaults to a maximum length of 1Mbyte. The reflection multiple that can be realized after a single get a request reaches: 1024*1024/1400*1466/84 = 13071.5 times.

Although the magnification factor of directly increasing VALUE was less than 20,000 times, through some attack techniques, the reflection factor could still reach hundreds of thousands of times.

The attack we recently captured uses a technique to achieve this amplification effect.

The attacker described in the above figure uses multiple queries in a request. By executing multiple get instructions in a UDP packet, the Memcached server returns a large number of multiple data packets. Since the length of the UDP packet itself takes up 66 bytes, by saving the number of UDP packets sent in this way, it achieves the effect of amplifying more times than the previous single transmission.

In the attack example above, the attacker uses 70 Memcached GET instructions assembled into a UDP packet with a total length of 844 bytes (Wireshark does not calculate frame gaps and FCS, so 820+24=844).

The VALUE value obtained by this instruction has a length of 304800:

Reflectance multiple: 304800*70/1400*1466/844= 26471.4 times.

Theoretically this is not the highest magnification.

When the number of GET instructions increases, the reflection ratio will increase, and with the optimization of payload, the reflection effect of hundreds of thousands of times can finally be achieved:

1)Replace get VcoOw\r\n with get a\r\n, construct more request instructions in a UDP packet, consider MTU 1500, IP header 20, UDP header 8, Memcache protocol header 8, then the number of instructions can reach: (1500-20-8-8)/7 = 209.14, security calculation takes 205 instructions.

2)Transmission packet length: 66+8+7*205=1509 bytes,

3)Each value is 1024*1024 bytes,

Then the overall reflection multiple: 1024*1024*205/1400*1466/1509= 149166.2 times!

In real environments, the reflection ratio is much smaller. On the one hand, it is determined by the performance of Memcached server, on the other hand, UDP has a certain proportion of packet loss, and even empty response.

IV. Magnifying accidents

In the analysis of captured attack data, a certain proportion of return packets have only one END data,

This is because the KEY for the GET directive does not exist. An 820-byte transmission packet can generate 70 60-byte UDP packets.

Reflectance multiple: 84*70/844 = 6.97 times.

The reflection ratio is extremely low, but due to the weak performance of routing equipment and servers for packet processing, a large number of packets will also have a greater impact on the network.

For statistics of partial sampling data, the ratio of END packets to large packets is as follows:

V. Analysis of reflection sources

Cluster and summarize attack packets generated by sampled reflection sources. China has the highest proportion, followed by the United States and Russia.

The attack packets produced by Hangzhou reflection source are the most. Inhibiting the abuse of the network by reflection sources requires active treatment by IDC and cloud platforms.

Memcache version used by sample analysis reflection source, 1.4.15 is the most used:

Analyzing the targets of attacks using MemcachedDRDOS, Suqian suffered the most attacks:

VI. Comparison of Attack Techniques

The previous attacks POC version 2 and Python version 3, where version C mainly used the stats command of Memcached service (10-20 times). Python version uses Memcached service set and get commands

The variant we caught this time uses multiple commands combined into a UDP packet sent.

Payload is as follows:

Classify by similarity of SET key and value parameters based on reflection resources used by attackers.

Attackers are more likely to use get XXX related instructions to achieve larger reflection multiples.

group payload proportion group 1gets Vco 0W 6% group 1get Vco0W; get Vco0W; …72% group 2get djt dht11% group 3get foo1% group 4get qtcfg1% group 5gets a b c d e f… z1% group 6stats items3% group 6stats5% seven, guard against

1)Configure firewall policies on Memcached servers or network devices connected to Memcached servers to allow only authorized business IP addresses to access Memcached servers and intercept illegal access.

2)Change the listening port of Memcached service to a large port other than 11211 to avoid malicious exploitation of the default port.

3)Memcached UDP service is not enabled unless it is absolutely necessary. The latest version of Memcached does not enable UDP service by default.

4)Upgrade to the latest Memcached software version, configure permission control policies such as enabling SASL authentication (add-enable-sasl option when compiling and installing Memcached program, and add-S parameter when starting Memcached service program, enable SASL authentication mechanism to improve Memcached security).

VIII. Conclusion

UDP protocol is preferred by developers for its non-blocking, fast sending and receiving, more flexible than TCP, and more advantageous for some real-time interactive scenarios. I believe that more and more services will choose UDP protocol. DRDoS attack is to use UDP protocol this loose fast response characteristics, time and again aimed at a wider range of open services to carry out attacks, so that the target can not defend.

Memcached reflection attacks can be up to 100,000 times more reflective, not only causing great damage to the attack target, but also greatly increasing the load of reflection sources and affecting the operation of own services. Hackers are everywhere, defense still needs to be professional, prevention depends more on service providers, IDC and cloud platforms to strengthen security awareness.

After reading the above, do you have any further understanding of how to analyze Memcached DRDoS attack trends? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.