Could Your Organisation’s Servers Be A Botnet?


Most organisations are aware that they could be the target of a DDoS attack and have deployed protection to keep their public-facing services online in the face of such attacks. However, far fewer have thought about the potential for their servers to be harnessed for use in a botnet, the group of servers used to conduct such DDoS attacks. Up until a few months ago, attackers typically only used well-known infrastructure services, like DNS resolution servers, to launch and amplify DDoS attacks, but Memcached – a popular database caching system – changed that.

Malicious hackers have begun abusing Memcached to deliver attacks that are amplified to over 50,000 times their original size – one of the largest amplification methods ever detected. Any organisation running Memcached to speeds up their systems is a potential botnet recruit.

How Memcached and similar UDP based service attacks work

Earlier this year, researchers discovered that a flaw in the implementation of the User Datagram Protocol (UDP) for Memcached servers can allow hackers to deliver record-breaking attacks with little effort. Memcached is a distributed memory caching system, originally intended for use in speeding up networks and website applications by reducing database load. Memcached reduces latency and database load by storing data objects in memory, immediately returning them to the caller without requiring a database query.

Usually, Memcached systems are deployed within a trusted network where authentication may not be required. However, when exposed to the Internet, they become trivially exploitable if authentication isn’t turned on. Not only is the cached data accessible to attackers, it’s simple to use the Memcached server for a DDoS attack, if UDP access is enabled. Specifically, with UDP an attacker can “spoof” or fake the Internet Protocol address of the target machine, so that the Memcached servers all respond by sending large amounts of data to the spoofed address, thus triggering a DDoS attack. Most popular DDoS tactics that abuse UDP connections can amplify the attack traffic up to 20 times, but Memcached can take a small amount of attack traffic and amplify the size of the request thousands of times. Thus, a small number of open Memcached servers can be used to create very large DDoS attacks.

The implications to the organisation

If you’re running Memcached with UDP and without authentication, you’re now a likely target for inclusion in a botnet. Should you become part of a botnet, it’s possible that both your servers and your bandwidth will be overloaded, resulting in outages and increased network costs. Indeed, attackers have already demonstrated how badly servers with misconfigured Memcached can be abused and used to launch DDoS attacks with ease.

In addition, unprotected Memcached servers give attackers access to the user data that has been cached from its local network or host, potentially including email addresses, database records, personal information and more. Additionally, cybercriminals could potentially modify the data they access and reinsert it back into the cache without user’s knowledge, thus polluting production applications.

To avoid being assimilated into a Borg-ish botnet, organisations and internet service providers need to take a more proactive approach in identifying any vulnerable servers before damage is done.

What can be done to prevent the severs being recruited?

Despite multiple warnings about threat actors exploiting unprotected Memcached servers, ArsTechnica reported that searches show there are more than 88,000 vulnerable servers – a sign that attacks may get much bigger. Therefore, it’s crucial that organisations ensure they have the correct security measure in place, to avoid being part of this wave.

Attacks of those scale and size cannot be easily defended against by Internet Service Providers (ISPs), thus organisations need to take inventory of any Internet-facing servers and ensure that Memcached is not inadvertently exposed. For any internet-facing servers that require Memcached, they should consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets or establish TCP connection. This will prevent attackers from being able to harness servers in a DDoS attack and leverage them to amplify those attacks. In addition, companies need to look at internal servers that are running Memcached, because an internal distributed denial-of-service attack could also be launched from some locally-running malware.

Jason Garbis
Jason Garbis, Security Product Leader at Cyxtera

Jason Garbis Web Site