principle of reflective denial of service attack in memcached

Posted by fierce at 2020-02-27

1. Background

1. Introduction to memcached

Memcached is an open-source, high-performance, distributed memory object caching system, which can be applied to various scenarios requiring caching. Its main purpose is to speed up Web applications by reducing access to the database. It is a memory based "key value pair" storage, which is used to store the direct data of database calls, API calls or page reference results, such as strings, objects, etc.

Many web applications save data to RDBMS (relational database management system), from which application server reads data and displays it in browser. However, with the increase of data volume and the concentration of visits, the burden of RDBMS will increase, the response of database will worsen, and the display delay of website will be greatly affected. It's time for memcached to show off. Memcached is a high-performance distributed memory cache server. The general purpose is to reduce the number of database accesses by caching the database query results, so as to improve the speed and scalability of dynamic web applications.

2 Introduction to DRDOS

​DRDOS(Distributed Reflection Denial of Service)

Distributed reflection denial of service attack

Distributed and denial of service are well understood. Reflection simply means to attack by someone else's hand.

If Memcache meets the borrowing conditions, it can use Memcache's hand to attack other hosts.

II. Introduction to principles

2.1 conditions for attack

1 mass of uncertified Memcache hosts

2 URPF mechanism is not used

Generally, after receiving the data message, the router obtains the destination IP address in the data packet, looks up the local route forwarding table for the destination IP address, and forwards the data message if there is a corresponding forwarding table item; otherwise, it discards the message. Therefore, the router does not care about the source address of the packet when forwarding the packet. This gives the source address spoofing attack a chance.

The source address spoofing attack constructs a series of packets with forged source address for the intruder, and frequently accesses the device or host where the destination address is located; even if the response message can not reach the attacker, it will cause a certain degree of damage to the attacked object.

The main function of URPF (unicast reverse path forwarding) is to prevent network attack based on source address spoofing. Once the router interface enables the URPF function, when the interface receives the data message, it will first check the legitimacy of the source address of the data message, and only for the message passing the source address legitimacy check, can it further find the forwarding table item to the destination address and enter the message forwarding process; otherwise, it will discard the message

2.2 attack principle

Because Memcache supports both TCP and UDP protocols, this is in line with the best situation of reflecting DRDOS,

There are many differences between TCP and UDP protocols, which mainly introduce the differences related to attacks

1 TCP guarantees data correctness, UDP may lose packets

2 UDP protocol, no handshake process, attackers can easily forge the source IP and initiate requests

3. There is no limit to the size of TCP packets per time. The maximum amount of UDP packets per time is 64K, and the maximum amount of Memcache is 1m, so TCP is directly used to store 1m data

Based on the characteristics of the above two protocols, we contract a large number of controlled Memcache hosts

We choose to use TCP to send the set instruction, because TCP is reliable and does not lose packets. At the same time, each packet is not limited by its size. Memcache can store up to 1m, so it can store 1m data directly

2 use UDP to modify the source IP (victim IP) to send the get instruction,

If the source address is forged, the communication based on TCP protocol will be blocked. The reason is the three handshakes in TCP communication. When the server is unable to shake hands with the client three times, the communication will not continue.

Network communication based on UDP protocol. Even if the source IP address is forged, the receiver can still receive the forged packets.

3. Memcache receives the forged data request and responds a large number of data to the host of the forged victim, causing a denial of service

2.3 command introduction

Using memcached as a reflection server requires several commands of memcached. The set command is used to set the key value. The get command gets the key value. Why do you need the set command? Because the attacker does not know what the key is, after the attacker completes setting, the attacker obtains the data with a get request

The memcached set command is used to store the value in the specified key.

If the set key already exists, the command can update the original data corresponding to the key, that is, to implement the update function.

Key to ABC

Flag to 0

Expime → 0 (in seconds, expiring time, 0 means never expiring)

Bytes → 10 (bytes of data storage)

Value → ABC (second line)

Get command gets value in key

Delete delete

2.4 attack methods

First, send the set command, which is used to set the key value in advance, so that you can know the name of the key when you use the get command to reflect, but you don't need to forge the source IP when you use the set command to set the key value, so it's better to use the TCP protocol, and the data is reliable without packet loss.

When using the get command, we need to forge the source IP. The forged IP is the target we want to attack. At this time, we need to use UDP to send the contract

Here we simply write a PoC for one attack, after which multiple attacks can be implemented as long as multiple threads are added.

Here, we use TCP to test, send the set instruction to set the key value, and then send the get instruction to see if we can get it

The source IP is forged. Here, we use scapy, SRC should be our own IP. But here, I change it to the IP that I want to attack the target. Because the UDP protocol is used to send packets, without the use of URPF mechanism, the packets that Memcache responds to will be returned to the target that we attack to complete the attack.

2.5 attacks

First, set, key value pair, where 1m data is stored through TCP, and then UDP is used to send a get request. The get request has only 20 bytes, but the response is indeed 1m data

Because the data of the get command instruction sent is very small, but the data returned is 50000 times of the data sent, so when it is found in the network

After a large number of Memcache hosts meet the requirements, DRDOS attack can be implemented.

Three defense strategies

1. Set access control rules. For example, run the command iptables - a input - P TCP - s - dport 11211 - J accept in the Linux environment. Adding this rule to iptables only allows the IP of to access port 11211.

2. Bind listening IP if memcached is not necessary to be opened on the public network, you can specify the binding IP address as when memcached is started. For example, run the following command in a Linux environment: memcached -d -m 1024 -u memcached -l -p 11211 -c 1024 -P /tmp/

3. Run the memcached service with the minimized permission account with the normal permission account, and specify the memcached user. For example, run the following command in the Linux environment to run memcached: memcached - D - M 1024 - U memcached - L - P 11211 - C 1024 - P / TMP /

4 enable authentication

Memcached itself does not have a verification access module. Since version 1.4.3, memcached supports SASL authentication. SASL certification detailed configuration manual

5 modify the default port. Modify the default listening port of 11211 to 11222. Run the following command in Linux: memcached - D - M 1024 - U memcached - L - P 11222 - C 1024 - P / TMP /