Stop sign

A mitigation mechanism is available for all victims who are under a DDoS attack carried out via Memcached servers.

This mitigation technique relies on the attacked victim sending a "flush_all" command back to the attacking servers. The measure was proposed last week by Dormando, one of the Memcached server developers.

Dormando's advice didn't receive the attention it deserved until today, after a Corero press release.

The company announced that it integrated this basic mitigation mechanism inside its DDoS mitigation solution and found it "to be 100% effective" during a live attack.

"It has not been observed to cause any collateral damage," Corero experts said about the "flush_all" technique.

Companies under DDoS attack from Memcached servers and who can't afford DDoS mitigation services, can, in theory, create scripts that implement the two "shutdown" and "flush_all" commands recommended by Dormando. These commands shut down attacking servers, or clear their cache of any malicious packets that cause the amplification effect of the DDoS attack.

Memcached v1.5.6 fixes DDoS attack vector

These DDoS attacks are happening because of Memcached servers left accessible online. In their default configuration, these servers expose port 11211, which attackers are using to reflect and amplify DDoS attacks.

The Memcached team has taken steps to address this configuration issue (CVE-2018-1000115). On February 27, they released Memcached v1.5.6 that disables the UDP protocol by default and requires users to explicitly enable UDP support when deploying Memcached servers.

But besides a new secure version of Memcached being rolled out, the huge media coverage has also driven many server owners to take action.

Number of vulnerable Memcached servers goes down

Rapid7 reported today that Memcached servers with port 11211 open on the Internet has dropped from 18,000 on March 1 to under 12,000 on March 5.

Security researcher Victor Gevers has reported seeing the same thing, albeit with different numbers.

The drop in numbers is also because cloud service providers have also taken steps to prevent their for-rent Memcached infrastructure from being abused in such attacks.

Another Memcached flaw?

But the Memcached DDoS issue isn't the only one that server owners will have to deal with this month. Corero also said today that the DDoS vulnerability "is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable Memcached servers."

The company didn't provide any details, though, but said it reached out to national security agencies with the information it had so that agencies can prepare and send out the proper security alerts.

Related Articles:

Notorious "DerpTrolling" Pleads Guilty to DDoS Attacks on EA & Sony

Mirai Botnet Operator Ordered to Pay $8.6 Million

Bushido-Powered DDoS Service Whipped Up from Leaked Code

Port of Barcelona Suffers Cyberattack