The tools for launching the record-setting MemCached DDoS attacks of early March were made public shortly afterwards. Proof-of-concept code named “MemCached-DDoS-Exploit” was posted on GitHub, listed as a “DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API”.
Twitter user @037 who describes themselves as a “Computer Science and Engineering Major” based in San Francisco is the author of the MemCrashed DDoS Exploit Tool. The code combined with a list of 17,000 IP addresses of vulnerable memcached servers (obtainable from the Shodan.io computer search engine for IoT devices) lets anyone send spoofed UDP packets to those servers. On GitHub, the only prerequisites listed as essential are to have Python 3.x installed, along with Scapy and Shodan modules. An upgraded Shodan API is also needed, which @37 says is obtainable for free “if you sign up using a .edu email”. A DDoS attack can apparently be launched against a target within seconds of running the tool.
The code author said they were releasing it “to bring more attention to the flaw and force others into updating their devices.” BleepingComputer identified the author as “the infosec researcher behind the Spuz.me blog”
The memcrashed DDoS attacks ushered us into the era of terabit DDoS attacks long expected in the industry, with 1.35TB and 1.7TB attacks occurring one shortly after the other.
A second PoC tool was released shortly afterwards, according to BleepingComputer, but that author is unknown. The PoC is written in C, and it also comes accompanied by a list of over 17,000 vulnerable IPs of vulnerable memcached servers. The C script will launch DDoS attacks that use the IPs on the list to reflect and amplify traffic towards the DDoS attack target.
Most industry experts expected the PoC code to be released; however, it will make it significantly easier for low-skilled actors to launch attacks of this type of their own.
“I bet the DDoS-as-a-Service industry has Memcached included in their offerings by next week,” said Daniel Smith, a security researcher for US cyber-security firm Radware.
The only way to create a long-term fix is for the memcached server owners to issue an update that fixes the UDP protocol implementation, which would remove the amplification factor. However, security researchers are finding themselves fighting an uphill battle with owners of the vulnerable servers to actually implement the updates.
Victor Gevers, Chairman of the GDI Foundation, a nonprofit organization whose mission is to “defend the free and open Internet by trying to make it safter” has been contacting Memcached server owners for nearly two years, advising them to secure servers and place them behind a firewall.
“It’s sour to see [DDoS attacks] finally happen after more than two years of warnings. Sometimes you don’t want to be right,” Gevers told Bleeping Computer.
“It’s so frustrating finding the owners, warning them of the risks, and getting them to act. Because there is no risk of a data breach, people are hardly or not responding at all to our emails,” Gevers says.
“And the threat of large volume DDoS attacks is not shrinking. Now with PoC tools and ready-to-go lists in public, we will see a significant increase of Memcached amplification attacks after the coming weekend, I guess.”