Kill switch halts memcached DDoS attacks

Researchers have identified a technique that can halt a memcached amplification attack.

DDoS protection firm Corero reported victims could send a "flush_all" command back to the attacking servers to stop the 1Tbps+ DDoS attacks that have targeted the likes of GitHub and others in recent weeks.

This suppresses the flood of traffic by invalidating a vulnerable memcached server's cache, the firm said.

Memcached servers in their default configuration expose port 11211. Attackers are targeting such servers with UDP support enabled to spoof the 'get' request message with a victim's IP address and amplify DDoS attacks by up to 50,000 times.

Corero said its kill switch "appeared to be 100 percent effective" in testing on attacking servers.

"Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponised to exploit its performance boosting potential for illegitimate purposes," Corero CEO Ashley Stephenson said.

Memcached developers released an update (version 1.5.6) in the wake of the high-profile attacks that disables the UDP protocol by default.

The tools used to launch the attacks were publicly posted to GitHub this week. The two proofs-of-concept come with a list of 17,000 vulnerable memcached servers.

However the high-profile nature of the GitHub and other attacks seem to be spurring memcached users into action; according to Rapid7 the number of memcached servers with port 11211 open dropped from 18,000 on March 1 to less than 12,000 on March 5.