research on drdos denial of service attack technology based on memcached distributed system

Posted by deaguero at 2020-02-28

Basic concepts

Friendly reminder: the following only do technical research, if there is malicious use, attack, will bear the legal consequences

This reflective denial of service attack technology is based on the memcached server distributed on the global Internet. It needs to reserve certain security attack and defense knowledge, network protocol knowledge and Python code programming technology. I hope to learn the related basic knowledge before learning the knowledge of this article. There is a reference link at the end of the article.

About memcached system

Memcached is a free and open source, high-performance, distributed memory object caching system. Memcached is a software developed by Brad fitzpatric of danga interactive company of livejournal. Now it has become an important factor to improve the scalability of web applications in many services such as mixi, hatena, Facebook, Vox, livejournal, etc. Memcached is a memory based key value store, which is used to store small pieces of arbitrary data (strings, objects). This data can be the result of database calls, API calls, or page rendering. Memcached is simple and powerful. Its simple design is convenient for rapid development, reduces the difficulty of development, and solves many problems of large data cache. Its API is compatible with most popular development languages. In essence, it is a simple key value storage system. The general purpose is to reduce the number of database accesses by caching the database query results, so as to improve the speed and scalability of dynamic web applications.

On the principle of distributed DDoS

DDoS (distributed denial of service) attack refers to the use of client / server technology to combine multiple computers as an attack platform to launch a DDoS attack on one or more targets, thus increasing the power of denial of service attack. Usually, an attacker uses a stolen account to install the DDoS master program on a computer. At a set time, the master program will communicate with a large number of agents, which have been installed on many computers on the network. The agent attacks when it receives instructions. With client / server technology, the master program can activate hundreds of agent runs in a few seconds.

On the principle of reflective DRDOS

DRDOS is the abbreviation of "distributed reflection denial of service" in English and "distributed reflection denial of service" in Chinese. Different from DOS and DDoS, this method relies on sending a large number of packets with the IP address of the victim to the attack host, and then the attack host makes a large number of responses to the IP address source, forming a denial of service attack.

Attack process

DDoS attack process

At least three steps are required to complete the attack process.

1. The attacker must control a large number of broiler machines in his hands, and distribute them in interconnection.

2 attackers can send a large number of attack instructions to all broilers at any time through agents or control programs.

After receiving the instructions, all broilers simultaneously attack the victim's network or host.

DRDOS attack process

DRDOS to complete a reflection amplification attack:

The attacker must store the attack data on all online broilers or reflection servers in advance.

2. The attacker must forge the IP source. Send massive requests of forged IP sources. Of course, the IP address here is the IP address of the victim.

3. The reflection server must be able to reflect data and run well and stably. It's better to request less data and increase the return data by ten thousand times.

In this way, we can attack the bandwidth network on a large scale, increase the occupancy rate and consume the hardware resources of the target machine.

DRDOS attack reflection process implemented with memcached

Survival machine

First of all, we need to find a large number of reflection servers, and use search engines to explore the world's available online servers. Here I use zoomeye for collection temporarily. You can also use other search engines, such as Shodan. The default open port number is 11211. Using the eye space engine of Zhongkui, we found 538317 machines around the world to open the port 11211, running the memcached cache service system. But there is also a condition for utilization, that is, we need to further select and confirm whether to turn on the machine that can be logged in by default, so that it can be used by us. Some of them have security authentication set up, so they can't be used. (no announcement)

communication protocol

In terms of protocol, Memcache listens to both TCP and UDP. That is to say, it supports two protocols to initiate interaction and communication at the same time. This is the key. You can see the difference between TCP and UDP. Because TCP is a byte stream, there is no packet boundary, regardless of the size, the data received in a send depends on the implementation and the size of your send and receive cache.

There is no limit in TCP, there is no "packet length" field in the TCP packet header, and it completely depends on the IP layer to handle framing.

But UDP protocol is not the same. It does not directly send data to the target machine based on the connection.

Note that the length field takes only two bytes. So the UDP protocol has a limit on sending data. The maximum sending size is 2 ^ 16 = 65535 = 64KB.

If you want to send larger packets, you can only use TCP protocol or UDP to send multiple times. Here I have tested that both protocols can be implemented.


1. TCP is connection oriented (for example, dial to establish a connection before making a call); UDP has no connection, that is, no connection needs to be established before sending data. 2. TCP provides reliable services. That is to say, the data transmitted through the TCP connection is error free, not lost, not repeated, and arrives in sequence; UDP makes its best efforts to pay, that is, it does not guarantee reliable delivery. 3. TCP is oriented to byte stream, in fact, TCP regards data as a series of unstructured byte stream; UDP is oriented to message. UDP has no congestion control, so network congestion will not reduce the transmission rate of the source host (useful for real-time applications, such as IP phone, real-time video conference, etc.). 4. Each TCP connection can only be point-to-point; UDP supports one-to-one, one to many, many to one and many to many interactive communication. 5. TCP head overhead is 20 bytes; UDP head overhead is small, only 8 bytes. 6. The logical communication channel of TCP is a full duplex reliable channel, while UDP is an unreliable channel.

Now that we understand this, let's take a look at how to use memcached caching system based on TCP and UDP protocol communication. The memcached system supports 1m storage of single data with maximum key value. So we can only store 1m at most. Of course, you can make multiple fields, which will also enlarge. First, according to the flow chart, we store the payload to the remote server in advance. Here is the data. The use of TCP protocol can send 1m at a time, but if we use UDP, we have to send it repeatedly to complete 1m data transmission. Due to the instability of UDP, packet delivery is not guaranteed. Here I recommend using TCP for sending.

data format

Memcached is simple and powerful. Its simple design is convenient for rapid development, reduces the difficulty of development, and solves many problems of large data cache. Its API is compatible with most popular development languages. In essence, it is a simple key value storage system. The general purpose is to reduce the number of database accesses by caching the database query results, so as to improve the speed and scalability of dynamic web applications.

All the following commands and operations are supported.

Memcached storage command memcached set command memcached add command memcached replace command memcached append command memcached prepend command memcached CAS command memcached lookup command memcached get command memcached gets command memcached delete command memcached incr / decr command memcached statistics command memcached stats command memcached Stats items command memcached stats slab command memcached stats sizes command memcached flush? All command

Here we focus on three kinds of commands, because we will cover them in our attack process.

The first is to upload the memcached set command

The memcached set command is used to store the value in the specified key.

If the set key already exists, the command can update the original data corresponding to the key, that is, to implement the update function.

The basic syntax format of the set command is as follows:

The parameters are described as follows:

Second reflective payload memcached get command

The memcached get command gets the value stored in the key. If the key does not exist, it returns null.

The basic syntax format of the get command is as follows:

Multiple keys are separated by spaces, as follows:

The parameters are described as follows:

The third is to exit the remote server. Quit \ R \ ncommand is OK. There are no parameters. Please pay attention to the carriage return and line feed.

Attack steps

Automatic upload payload

Here, we are going to use this process to implement DRDOS reflection denial of service attack.

The idea is as follows: first, we upload the specified data in batch to the remote open server memcached, and then we go to the memcached server to query the data stored in the previous step. (this step is critical, we can only use UDP protocol for reflection, and then explain why.) In this way, the data can be reflected to the target victim machine through the memcached server. Here, we can manually write programs to automatically upload payloads to remote servers in batches. After uploading, we can carry out UDP reflection attack.

Here I use the python script to upload the payload data.

The code will not be published to prevent illegal use. Direct output test results

Output result

Automatic reflection payload

Note here that the above automatic upload uses TCP protocol to send packets, reflecting that I must use UDP protocol. Because only UDP protocol is based on connectionless, so we directly send data to the target server without three handshakes. At the same time, the server receiver can't verify the client's source IP, so we can use UDP to forge the source address to realize the DRDOS attack process.

Using socket and scapy library development, using multi-threaded loop request. (note that when UDP protocol is used, each operation command must add 8-byte flag bits to the packet structure, "\ X00 \ X00 \ X00 \ X00 \ X00 \ X00 \ X01 \ X00 \ X00")

Here we use the python script to complete the reflection test.  

The code will not be published to prevent illegal use. Direct output test results

Output, can be realized


Test Wireshark grab


Here we can make a rough theoretical calculation

For example, for a single server, we only send 20 bytes of test instruction data, but we can return 1m data. 1m / 20 = 5W (50000 times magnification rate), which can be described as four or two thousand catties. Assuming that we have 50W available machines in hand under ideal conditions, our DRDOS theoretical value will reach about 50W * 1m = 500GB. Think about how horrible bandwidth and data this is. At present, there are few in China that can resist such a large DDoS attack in a short time. For example, Alibaba cloud was attacked for more than 14 hours last year, with a peak traffic of 453.8g. DRDOS can achieve up to 500g traffic in just one minute, which is a terrible thing and a disaster. For protection, please refer to (security protection system of Yiyun website)

Summing up experience

The DRDOS technology has been understood after several days of research, but it is found in the test that some routers will correct the source address in some network environments, which makes the reflection attack fail. The reason is because of its added uppf mechanism. (unicast reverse path forwarding is a unicast reverse route lookup technology used to prevent network attack based on source address spoofing.) Fixed UDP source address forgery again. However, if there is no such mechanism in some environments, then we can use this method to attack. I'm here to share with you. I hope someone can continue to make in-depth analysis and study, including the ideas and skills involved in utilization. For example, use its free internet storage resources to store your data sources in a distributed way as your distributed private cloud disk.

Friendly reminder: the above is only for technical research. In case of malicious use and attack, you will bear the legal consequences

Reference learning