Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Computer Security: Memcrashed Exploit and Prevention

Verified

Added on 2023/04/07

AI Summary

This article discusses the Memcrashed exploit, a well-known Memcached DDoS attack. It explains the key principles of key-value databases, the description of the Memcrashed exploit, and provides solutions to prevent it. It also explores the future importance and effectiveness of Memcrashed attacks in computer security.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: COMPUTER SECURITY
Computer Security
Name of the Student
Name of the University
Author Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1COMPUTER SECURITY
Table of Contents
Introduction..........................................................................................................................2
Discussion............................................................................................................................2
Key Principles Value database........................................................................................2
Description of memcrashed Exploit................................................................................2
Description of any solution of mem crashed exploit.......................................................4
Future importance and effectiveness of mem crashed.....................................................4
Conclusion...........................................................................................................................5
References............................................................................................................................5

2COMPUTER SECURITY
Introduction
Memcrashed is a well-known Memcached DDoS exploit completely written in Python
language. It allows the user to send forged UDP packets that are available in form of list to
Memcached server (O’Hare 2018). Memcached is a memory that can add value to small chunks
of given arbitrary data (string and objects). It generally originates from databases calls, API calls
and lastly page rendering. The attack can be carried out by forging packet through user diagram
protocol. An attacker can easily leverage the vulnerability of Memcached denial of services. It
can initiate record-breaking DDoS attack (Ghiëtte and Doerr 2018). Code of proof can be
adapted for use in this particular attack. Memcrashed.py is a python script that can be integrated
with the search engine of shodan for analyzing the vulnerability of servers. It is the place from
which the attacks can be carried out easily.
In the coming pages of the report, an idea has been provided with respect to how single
system can be used for mass Memcached exploitation that is launching attacks (Shodan API).
The next section of the report deals with how attacks can be prevented.
Discussion
Key Principles of database
In comparison to traditional RDBMS, the key value based databases are considered to be
more productive and efficient due to its design principle (Xu and Liu 2016). Key-value databases
are used to store schema-less data. This type of databases stores data in associative arrays. The
data entries in the associative arrays are sometimes known as map table. This map tables are
also known as dictionary or the hash tables (Tapsell, Akram and Markantonakis 2018). The

3COMPUTER SECURITY
associative arrays are used for collection of different keys and value pair. It is needed for the
storing data in any datatype any primitive one or in the form of object (Dong et al. 2016). This
associative array binds the key and value together.
Botnets can be defined as a collection of inter-connected programs that help to perform a
specific task. Illegal botnets are prepared from malware that infects the system. Most of the
computer is controlled by the help of command and control system. Virus are binary file that has
the capability to attach itself to any another binary file. Binary boot virus can replace the
available code on boot sector virus. Macro virus can infect various kind of documents like Word,
Excel and lastly PowerPoint.
Fig 1: Memcrashed Attack
(Source: Bawany, Shamsi and Salah 2017)
The key value databases are intentionally designed in such a manner that this stores data
in the form of documents (Wang et al. 2015). The Key value based databases make use of XML,
YAML, JSON encoding schemes for better data handling.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4COMPUTER SECURITY
In case of Memcached, this is one of the best distributed in-memory cache systems that
help in reducing the latency in the data access process compared to other key-value data storages
(Bhuyan, Bhattacharyya and Kalita 2015). This cache system is widely used for providing
support to cloud services or web-based services. For key-value data storage, each object consists
of key and value part.
There are some typical operations like Get, Set, and Delete on the data store. For
example, through the use of the Get operation, users can submit keys in the data store (Bawany,
Shamsi and Salah 2017). The major performance factors in the key-value store can be listed as
i. Response time or the latency in the data access and
ii. Throughput or the number of requests can be satisfied for a given time period.
In case of the Memcached, it is used in the Web service systems that serve high number
of user requests in real time (Ghiëtte and Doerr 2018). After receiving the user request with a
key, web services aim to gain access to the object from the nearest cluster (Kolias et al. 2017).
In case the user requested object is found in some of the Memcached nodes then it will be
defined as the cache hit (Bawany, Shamsi and Salah 2017). In this way the access is gained to
real back-end database is not required and consequently, the expensive kind of disk I/O
operations can be avoided easily.
On the other hand, if the requested object is not found in the cluster (cache miss), then
the Web service need retrieve the requested object which is there in the back end of the database
as well as store them into any of the Memcached node (Tapsell, Akram and Markantonakis
2018). In order to consistently distribute the data between different sets of Memcached nodes, it

5COMPUTER SECURITY
uses a consistent hash function along with key in order to limit which node that is there in
Memcached cluster will contain the retrieved object.
Fig 2: Overview of Memcrashed Attack
(Source: Bawany, Shamsi and Salah 2017)
In this attack, the amplification technique is used by the attackers that allow them to
obtain the response amplification with the factor of 51,200 (Bhuyan, Bhattacharyya and Kalita
2015). As the Memcached protocols are designed in such a manner that it can be used without
any logins/ passwords thus the attackers can retrieve the sensitive cached user data from a remote
location without any authentication mechanism.
Description of memcrashed Exploit

6COMPUTER SECURITY
Various researcher of security firm has reported that there are three actors are involved in
Memcached protocol. It is all about providing power to distributed denial of services attack
which is known as Memcached attack. Memcached is known to be open source, high
performance, distribution of memory caching system (Tapsell, Akram and Markantonakis 2018).
It is mainly used to designed and speed up dynamic web-based application. Client needs to
communicate with the server through TCP or UDP on the given port that 11211. At present,
there are large number of attackers that are abusing Memcached based DDoS attacks.
The amplification of memcrashed technique can help attackers to get an amplification
factor of 51,200 (Hoque, Bhattacharyya and Kalita 2016). There is always an involvement of
Memcached server in DDoS attack which is simple and effective in nature. Attackers can send a
proper request to the target server which is there on port 11211. At this location spoofing of IP
address of the victim is done. The request is sent to server which comprises of few bytes of data
and overall response time can be ten times bigger. It ultimately results in amplification of data
which is considered to be around 51200 times than the initial one (Wang et al. 2015). There has
been increase in large scale UDP reflection and any kind of amplification of attack on the
internet platform. In this, attacker aims to send elicit packets which can respond to Memcached
(Behal and Kumar 2017). It is considered to be quick congest for victim that results in Denial of
Service attack.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7COMPUTER SECURITY
Fig 3: Memcrashed Attack
(Source: Bhuyan, Bhattacharyya and Kalita 2015)
Daemons are background process that aims to provide system functionality. It can
provide interaction in a normal way or through a socket. It might not be TCP or UDP or even
local socket. A large number of daemons are completely related to network and aims to provide a
range of services. Daemons can be easily installed and become active if the individual is not
provided with any kind of service. Daemons are listened on wide range of interfaces like
Ethernet, wireless network and local one. Daemons are not listened on any kind of port but needs
to perform some of the background function.
Around 95,000 are answered on TCP or UDP port of 11211 that can be used by attackers
to gain launch against DDoS attack (Bhuyan, Bhattacharyya and Kalita 2015). It also exposes
data that comes into picture due to vulnerability. Memcached server is used in this particular
DDoS attack that is required for collecting user cached data from local server. Memcached

8COMPUTER SECURITY
protocol has been designed in such a way that it does not require any kind of authentication. In
this way, a user can add up vulnerable Memcached server can be stolen by other people who are
there on the internet without leaving behind any trail (Kolias et al. 2017). The whole community
of Memcached developer has come up with large number of warnings that is about security risk.
On the contrary, user leaves default configuration for both operating system and cloud based
services (InfoSec Resources 2019). It ultimately allows the user to gain access to Memcached
services.
Description of any solution of mem crashed exploit
In case of the memcrashed attack, the user simply requires to forge request datapackets to
the Memcached servers. This server in default way of responding to UDP port 11211 (Tapsell,
Akram and Markantonakis 2018). The protocol permits the hosts to send stats command so that
they can get the current traffic statistics. This stats request utilizes only 15 bytes, while in the
response a Memcached server result with the statistics can be more than 1 Mb in size. In this
attacks the hackers or the attackers spoof IP address of the targeted system and send stats query
to different Memcached servers (Bhuyan, Bhattacharyya and Kalita 2015). Against these
requests, the response may go up to 50,000 times bigger in comparison to query sent to the
server. This ultimately results in substantial malicious traffic which comes back to the victim’s
site (SearchSecurity 2019). This attack technique is considered to be similar to reflection attacks.
Denial of services (DoS) is a kind of attempt is required for making any service
unavailable to its users. Distributed Denial of Services makes use of large number of machines to
carry out DoS attack. DoS is inclusive of malware like maximum out usage of processor,
analyzing the errors in the microcode and Tigger of errors in the given sequence of instruction.

9COMPUTER SECURITY
Fig 4: Prevention of Memcached Server
(Source: Xu and Liu 2016)
Therefore, in order to mitigate these consequences following methodologies can be used;
The forged requests can be avoided by binding the Memcached to some specific IP
address as well as ports (Bawany, Shamsi and Salah 2017).
It is important to verify if the servers really need to externally accessible by the other
users so that it can be ensured that the servers are publicly accessible for minimum number of
users (The Cloudflare Blog 2019).
It is to be ensured that there is more than one upstream provider so that in case of any
failure other links are accessible if the primary one is flooded (Kolias et al. 2017).
Ensure the implementation of the anti-spoofing technique such as BCP38 & 84 in order
to avoid the spoofed packets such as those used in Dodos attacks and does not get into the
network.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10COMPUTER SECURITY
Future importance and effectiveness of mem crashed
DDoS attacks are mainly abusing Memcached servers due to the fact that organization
operating it may fail to implement some important security practices. Threat actors will be used
for abuse misconfigured Memcached server in the future attacks (Bawany, Shamsi and Salah
2017). It is mainly done so that many of them can be exposed to the internet. Different security
organization suggest the organization about disability of UDP support until and unless it is
required for isolating Memcached server from internet. It is the responsibility of internet service
providers to fix or overcome any kind of vulnerable protocols which will prevent IP spoofing
(Vaughan-Nichols 2019). This particular kind of attack is permissible on the internet as long as
there is possibility of IP spoofing. At present, there are two distinct proof of concept available for
Memcached amplification technique (Xu and Liu 2016). It is very much dangerous because any
two of them can be used for launching Memcached DDoS attack. One of the PoC code of
exploition is completely written in Python. It totally depends on Shodan search engine to collect
API. It is required for updating a list of vulnerable Memcached server that in needed for DDoS
attack (Black 2019). The second exploit code is completely in C programming by making use of
vulnerable Memcached server.

11COMPUTER SECURITY
Fig 5: Graph of growth of Memcrashed Attack
(Source: Wang et al. 2015)
There is a need for Memcached server in DDoS attack which is very much simple and
effective in nature. In this, the attacker aims to send a request to the target server on the 11211
port for spoofing the victims IP address (Conrey 2019). For tackling the overall effectiveness of
Memcached DDoS attack which has been released on online platform. Various security experts
have come up a mechanism named kill switch for tackling the vulnerability (Fouladi, Kayatas
and Anarim 2016). Security experts at present have more than 95000 servers on worldwide
platform. It ultimately allows user to establish connection on TCP port on the internet.
Memcached protocol has been designed in such a that it can be used without logins or even
password (Darknet 2019). Attacker can trigger the vulnerability so that they can make changes in
the data and reinsert it into the cache. Kill switch helps in sending command back to attacking

12COMPUTER SECURITY
server so that it can halt any kind of DDoS attack. Till now, no kind of side effect has been found
in this particular mechanism.
Conclusion
From the above pages, the point can be noted that this report is all about memcrashed
exploit. In the report, the key principles of database have been discussed in brief. After that, a
description has been provided with respect to memcrashed exploit. A range of solution has been
provided to prevent memcrashed exploitation. The last section of the report deals with future
importance and overall effectiveness of memcrashed. Shodan is a powerful tool which is needed
for mass exploitation. The tool has been designed in such a way that it can provide the required
things without mass scanning of IP address. The tool is very much useful for saving and mass
exploitation, the user needs to have premium account of API key. An attacker can easily write
arbitrary data in the Memcached server and make use of data later on. The given technique can
be used for two staged attacks that is getting and assigning values in the Memcached server and
delivering it to particular target.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13COMPUTER SECURITY
References
Bawany, N.Z., Shamsi, J.A. and Salah, K., 2017. DDoS attack detection and mitigation using
SDN: methods, practices, and solutions. Arabian Journal for Science and Engineering, 42(2),
pp.425-441.
Behal, S. and Kumar, K., 2017. Characterization and Comparison of DDoS Attack Tools and
Traffic Generators: A Review. IJ Network Security, 19(3), pp.383-393.
Bhuyan, M.H., Bhattacharyya, D.K. and Kalita, J.K., 2015. An empirical evaluation of
information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognition
Letters, 51, pp.1-7.
Black, L. (2019). Memcrashed-DDoS-Exploit - DDoS Attack Tool For Sending Forged UDP
Packets To Vulnerable Memcached Servers Obtained Using Shodan API. [online] KitPloit -
PenTest & Hacking Tools for your CyberSecurity Kit ☣. Available at:
https://www.kitploit.com/2018/03/memcrashed-ddos-exploit-ddos-attack.html [Accessed 16
Mar. 2019].
Conrey, A. (2019). Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message
Volume Denial of Service (2). [online] Exploit Database. Available at: https://www.exploit-
db.com/exploits/44254 [Accessed 16 Mar. 2019].
Darknet. (2019). Memcrashed – Memcached DDoS Exploit Tool - Darknet. [online] Available at:
https://www.darknet.org.uk/2018/03/memcrashed-memcached-ddos-exploit-tool/ [Accessed 16
Mar. 2019].

14COMPUTER SECURITY
Dong, P., Du, X., Zhang, H. and Xu, T., 2016, May. A detection method for a novel DDoS attack
against SDN controllers by vast new low-traffic flows. In 2016 IEEE International Conference
on Communications (ICC) (pp. 1-6). IEEE.
Fouladi, R.F., Kayatas, C.E. and Anarim, E., 2016, June. Frequency based DDoS attack
detection approach using naive Bayes classification. In 2016 39th International Conference on
Telecommunications and Signal Processing (TSP) (pp. 104-107). IEEE.
Ghiëtte, V. and Doerr, C., 2018, August. How Media Reports Trigger Copycats: An Analysis of
the Brewing of the Largest Packet Storm to Date. In Proceedings of the 2018 Workshop on
Traffic Measurements for Cybersecurity (pp. 8-13). ACM.
GitHub. (2019). 649/Memcrashed-DDoS-Exploit. [online] Available at:
https://github.com/649/Memcrashed-DDoS-Exploit [Accessed 16 Mar. 2019].
Hoque, N., Bhattacharyya, D.K. and Kalita, J.K., 2016, January. A novel measure for low-rate
and high-rate DDoS attack detection using multivariate data analysis. In 2016 8th International
Conference on Communication Systems and Networks (COMSNETS) (pp. 1-2). IEEE.
InfoSec Resources. (2019). Memcrashed: The Dangerous Trend Behind the Biggest DDoS
Attack Ever. [online] Available at: https://resources.infosecinstitute.com/memcrashed-dangerous-
trend-behind-biggest-ever-ddos-attack/#gref [Accessed 16 Mar. 2019].
Kolias, C., Kambourakis, G., Stavrou, A. and Voas, J., 2017. DDoS in the IoT: Mirai and other
botnets. Computer, 50(7), pp.80-84.
O’Hare, J., 2018. Scout: A Contactless ‘Active’Reconnaissance Known Vulnerability
Assessment Tool.

15COMPUTER SECURITY
SearchSecurity. (2019). Memcrashed DDoS amplification exploits memcached UDP port.
[online] Available at: https://searchsecurity.techtarget.com/news/252436051/Memcrashed-
DDoS-amplification-exploits-memcached-UDP-port [Accessed 16 Mar. 2019].
Tapsell, J., Akram, R.N. and Markantonakis, K., 2018. An evaluation of the security of the
Bitcoin Peer-to-Peer Network. arXiv preprint arXiv:1805.10259.
The Cloudflare Blog. (2019). Memcrashed - Major amplification attacks from UDP port 11211.
[online] Available at: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-
from-port-11211/ [Accessed 16 Mar. 2019].
Vaughan-Nichols, S. (2019). Memcached DDoS: The biggest, baddest denial of service attacker
yet | ZDNet. [online] ZDNet. Available at: https://www.zdnet.com/article/memcached-ddos-the-
biggest-baddest-denial-of-service-attacker-yet/ [Accessed 16 Mar. 2019].
Wang, B., Zheng, Y., Lou, W. and Hou, Y.T., 2015. DDoS attack protection in the era of cloud
computing and software-defined networking. Computer Networks, 81, pp.308-319.
Xu, Y. and Liu, Y., 2016, April. DDoS attack detection under SDN context. In IEEE INFOCOM
2016-The 35th Annual IEEE International Conference on Computer Communications (pp. 1-9).
IEEE.

1 out of 16

+13062052269

info@desklib.com

Computer Security: Memcrashed Exploit and Prevention

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Memcrashed Exploit: Description, Solutions, and Future Importance

Computer Security Engineering

Vulnerability of mem-crashed

Principles of Key/Value Databases and Memcrashed Exploit

Principles of Key/value databases

Memcached Attack: Exploit, Strategies, and Mitigation