Content, Breach, Channel partners

Corero Discloses ‘Kill Switch’ for Memcached DDoS Cyberattack

Corero Network Security, a provider of distributed denial-of-service (DDoS) attack protection and mitigation services, has disclosed a "kill switch" countermeasure for the Memcached vulnerability to national security agencies.

In addition, hackers are using the Memcached vulnerability to steal and modify data, Corero said in a prepared statement.

How Does the 'Kill Switch' Work?

The Memcached vulnerability "kill switch" serves as a "flush_all" countermeasure, Corero stated. It sends a command back to an attacking server to suppress the current DDoS exploitation, Corero indicated, and invalidates a vulnerable server's cache.

Corero's countermeasure quench packet has been tested on live attacking servers and appears to be 100 percent effective, the company said. Also, the countermeasure has not been shown to cause any collateral damage.

A Closer Look at the Memcached Vulnerability

The Memcached vulnerability exploits the Memcached open source memory caching system. It is responsible for some of the largest DDoS attacks ever recorded.

Initially, the Memcached protocol was designed to be used without logins or passwords. This means anything that is added to a vulnerable Memcached server can be stolen by anyone on the Internet – without a login, password or audit trail, Corero said.

The Memcached vulnerability now allows cyberattackers to generate spoof requests and amplify DDoS attacks to create a flood of attack traffic, according to Corero. Or, an Memcached server can be coaxed into divulging user data it has cached from its local network or host, including confidential database records, website customer information and emails.

Hackers also can use a simple debug command to reveal the "keys" to an end user's data and retrieve this information from any location, Corero noted. Furthermore, hackers can maliciously modify user data and reinsert it into a cache without the knowledge of a Memcached owner.

Nearly 100,000 Servers At Risk

To date, hackers have used the Memcached vulnerability to target software development platform GitHub and many other globally recognized organizations over the past week. The Memcached exploit has been used to amplify DDoS attacks by up to 50,000 times and flood service providers to degrade service availability as well.

There are currently over 95,000 servers worldwide answering on TCP or UDP port 11211 from the Internet. Meanwhile, these servers could potentially be used by attackers to launch Memcached DDoS attacks or expose customer data, Corero said.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.