As pointed out earlier (https://isc.sans.edu/forums/diary/Why+we+Dont+Deserve+the+Internet+Memcached+Reflected+DDoS+Attacks/23389/) this memcached reflected DDoS thing is pretty bad. How bad? Well, US-CERT updated its UDP-Based Amplification Attacks advistory (https://www.us-cert.gov/ncas/alerts/TA14-017A) to add Memcache to the list of potential attack vectors. The really telling bit is the chart that shows the Bandwidth Amplification Factor. Before memcache was added the largest factor was 556.9 from NTP where each byte sent in to a vulnerable server would return about 557 bytes in attack traffic. Memecache is listed as 10,000 to 51,000. That's remarkably large.
How common is an internet-facing memcache daemon? I did a little poking with Shodan (https://www.shodan.io/) and it had identified 100k or so systems. Mostly in cloud provider spaces as you would expect.
So how did this happen? I don't know much about memcache myself, so I think that makes me particulary qualified to take a stab at the answer. Since I don't know what it is, or how to install it, I turn to google to help me out. Buried in the wiki for memcached (https://github.com/memcached/memcached/wiki/ConfiguringServer) under the networking section one might read:
But who has time for instructions, right? What's Google tell me to do? The top answer gives us:
Change the memcached configuration setting for CACHESIZE and -l :
Hey, that looks right. What about Digital Ocean's instructions (they have a lot of these open)? https://www.digitalocean.com/community/tutorials/how-to-install-and-use-memcache-on-ubuntu-14-04
It has this as how it's started:
/usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1
That looks fine too. So it's not a rash of bad instructions on the Internet.
Okay, how about stackoverflow/serverfault? In the top question about memcache (https://serverfault.com/questions/347621/memcache-basic-configuration) we find an illuminating answer:
I wonder how many web-admins thought they needed to open up access to all of their clients.
Feb 28th 2018
|Thread locked Subscribe||
Feb 28th 2018
3 years ago