Computer Security: Memcrashed Exploit, Key/Value Databases, Solutions

Verified

Added on 2023/04/12

AI Summary

This report provides a comprehensive analysis of the Memcrashed exploit, focusing on the principles of key/value databases, the mechanics of the Memcrashed attack, and potential solutions to mitigate the vulnerability. It begins by explaining how key/value databases function, providing examples of their use in scenarios like stock tickers and IP forwarding tables. The report then details the Memcrashed exploit, a distributed denial-of-service (DDoS) attack leveraging the Memcached system, and outlines various preventative measures for Memcached users, system administrators, and developers. These solutions include disabling UDP support, implementing firewalls, and avoiding vulnerable coding practices. Finally, the report explores the future implications of Memcached vulnerabilities, emphasizing the importance of proper data filtering and safe data deserialization to prevent arbitrary code execution, and suggests best practices for caching data to improve application scalability and security. The document includes references to support its analysis and recommendations.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: COMPUTER SECURITY
Computer Security
Name of Student-
Name of University-
Author’s Note-

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1COMPUTER SECURITY
Principles of Key/value databases
The key/value database is a paradigm of data storage that is designed for retrieving, the
associated arrays, storing them as well as managing them. This is a data structure that is
commonly known as data dictionary or is known as hash table (Da et al. 2017). The dictionaries
mainly contains collection of the objects or the records that might have various types of fields in
them and the fields have data in them. The records are then stored as well as retrieved with the
use of a key that identifies each record uniquely and helps in finding the data quickly in the
database.
The key value databases actually works in very different way compared to the relational
database. The pair of key value is established in the programming languages. The key data is
basically a type of NoSQL database using the key/value method for storing the data.
Example of Key/Value Stores are: The example below shows the stock ticker to show the
buying as well as selling order, the total number of shares, and the total price.
Key Value
452135562 AVGO, sell, 425, 146.78
136547899 CERN, buy, 125, 145.54
785461235 APPL, sell, 524, 258.45
Another example of key valued database are: The below table is the example of
forwarding table of IP. The table forwards the IP address to their corresponding MAC address in
a physical computer.

2COMPUTER SECURITY
Key Value
421.78.54.32 01:45:32:0r:s2:44
247.32.77.56 06:t5:42:55:2k:75
The key in the pair of database should be unique. The key is a unique identifier that
allows the user to access all the value associated with the key. The key may contain any value
but the value should be related to the DBMS. For example, the maximum size that is allowed in
Redis is 512 MB. So the user can use the binary sequence in the form of key (Gu et al. 2015).
Key can be short text string or can be image files or even can be empty string. The value in the
pair can consists of anything from text, number, codes such as HTML, or codes of PHP or some
image files.
The value can even be another pair of key-value encapsulated in it. The Redis DBMS
allows to specify binary safe strings, collection of string, collection of sting elements, hashes and
bit arrays.
Description of memcrashed exploit
Memcached is known as free as well as open source, very high performance system that
is designed for speeding up the web applications that are dynamic. The memcached is a system
having distributed memory caching that speed up by alleviating the load database (Zhang, Zhang
and Lee 2016). The clients communicate with the memcached servers through TCP as well as
UDP on the port 11211. Researchers from different security firms stated that there are threat
actors who have started abusing the protocol of memcached for powering the DDoS (Distributed
Denial of Service) attack which is also known as memcached DDoS attacks.

3COMPUTER SECURITY
In a memcached attack, the attacker first sends request to the server that is targeted on the
port 11211. The attacker involves the memcached server in the DDoS by spoofing the IP address
of victim (Gupta and Sharma 2018). The request that is sent by the attacker mainly have few byte
and the response can be ten time larger than it which results in amplification of the attack.
An attacker who is capable of sending IP spoofing attack sends the victim forged request
to the vulnerable server of UDP. Without knowing the forged request, the UDP server prepares
to respond (Dietzel et al. 2018). Problem arises when there are thousands of request and their
response is given to some target host that is not suspectable. Amplification attacks are much
effective because the packet response are large compared to request packets. Obscure attacks of
amplification mostly happens all time.
Solution to memcrashed exploit
There are a number of solutions that can be taken care of to prevent the network from
memcached attack. The solutions are listed below:
Memcached users: If the users are using memcached, it is recommended to disable the
UDP support of the user is not using it (Slocombe 2018). When starting up the memcached, the
user can specify –listen 127.0.0.1 so that they can only listen to the local host and the user can
specify –U 0 for disabling the UDP in the network. The User can test the server vulnerability by
running the following code:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4COMPUTER SECURITY
After running this code, if the user see response as non-empty, then it can be said that the
server is vulnerable.
System administrators: For the system administrators, it is recommended that they ensure
that the user memcached servers has firewall that are connected to the internet (Singh and Singh
2018). For testing that the user have UDP, the following example is to be run and for closing the
TCP, the user needs to run nmap.
Developers: For the developers, it is recommended to stop using the UDP. The UDP must
not be enabled by default. If the user do not know what amplification attack is, it is
recommended not to type SOCK_DGRAM in the editor of the user (Lukaseder et al. 2018). If
the user use UDP, the user must respond to small size packet rather than the request. If not done
so, the protocol gets abused. There should be a firewall in the network of the user to prevent such

5COMPUTER SECURITY
type of attack. There has to be inbound as well as outbound UDP traffic 11211 that is to be
blocked at the edge from the user network.
Future importance and effectiveness of memcrashed exploit
The vulnerabilities in a computer network mainly comes from the wrong input of the
filtering parameters. This error input not only inject commands in the protocol between the client
and the server, but also includes all function of other drivers that includes de-serializing the
objects (Burke, Herbert and Mooi 2018). There are many cases that have unsafe data de-
serializing from data store allowing the attacker to execute the arbitrary code in the system.
There are proper filtering of the data or by using the binary protocol that can result in effective
countermeasure against attack.
When an application is designed, the user should take time to which data sets are to be
cached for the future use. This might include viewing common pages or often reading the entities
of data store. There also might be some application in the application that are to be shared among
all the instances of the application. But the sharing does not have to persist forever. For those
cases, the memcache should improve scalability of the application that provides fast as well as
efficient storage system that are distributed for transferring the data. Adding logic of memcache
in the server includes adding only some extra line of codes.
The study of the drivers involved in the operations with some popular storage of the
memcached data includes the vulnerability of data. Vulnerability includes some error characters
of filtration for all the input parameters (Hyder and Lung 2018). The operation included in the
practical part slows to implant the commands in the protocol that are exchanged between the
server and the client executing operations that are available with the framework of protocol and

6COMPUTER SECURITY
also involves all other driver functions that has deserialization. It can be said that it is safe to
perform the possible attacks on the memcached databases which are mostly similar to the SQL
Injections. There are similar attacks that are in practice that lead to different results that bypasses
the authentication for execution of the interpreter code of program.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7COMPUTER SECURITY
References
Burke, I.D., Herbert, A. and Mooi, R., 2018, September. Using network flow data to analyse
distributed reflection denial of service (DRDoS) attacks, as observed on the South African
national research and education network (SANReN): a postmortem analysis of the memcached
attack on the SANReN. In Proceedings of the Annual Conference of the South African Institute
of Computer Scientists and Information Technologists (pp. 164-170). ACM.
Da, C., Xu, S., Ding, K., Meng, G., Xiang, S. and Pan, C., 2017. AMVH: Asymmetric multi-
valued hashing. In Proceedings of the IEEE Conference on Computer Vision and Pattern
Recognition (pp. 736-744).
Dietzel, C., Smaragdakis, G., Wichtlhuber, M. and Feldmann, A., 2018, December. Stellar:
network attack mitigation using advanced blackholing. In Proceedings of the 14th International
Conference on emerging Networking EXperiments and Technologies (pp. 152-164). ACM.
Gu, Y., Shen, S., Wang, J. and Kim, J.U., 2015, June. Application of nosql database mongodb.
In 2015 IEEE International Conference on Consumer Electronics-Taiwan(pp. 158-159). IEEE.
Gupta, V. and Sharma, E., 2018, September. Mitigating DNS Amplification Attacks Using a Set
of Geographically Distributed SDN Routers. In 2018 International Conference on Advances in
Computing, Communications and Informatics (ICACCI) (pp. 392-400). IEEE.
Hyder, H.K. and Lung, C.H., 2018, December. Closed-Loop DDoS Mitigation System in
Software Defined Networks. In 2018 IEEE Conference on Dependable and Secure Computing
(DSC) (pp. 1-6). IEEE.

8COMPUTER SECURITY
Lukaseder, T., Stölzle, K., Kleber, S., Erb, B. and Kargl, F., 2018. An SDN-based Approach for
Defending against Reflective DDoS Attacks. arXiv preprint arXiv:1808.01177.
Singh, K. and Singh, A., 2018, October. Memcached DDoS Exploits: Operations,
Vulnerabilities, Preventions and Mitigations. In 2018 IEEE 3rd International Conference on
Computing, Communication and Security (ICCCS) (pp. 171-179). IEEE.
Slocombe, G., 2018. World's largest publicly revealed distributed denial of service attack. Asia-
Pacific Defence Reporter (2002), 44(3), p.30.
Zhang, T., Zhang, Y. and Lee, R.B., 2016. Memory DoS attacks in multi-tenant clouds: Severity
and mitigation. arXiv preprint arXiv:1603.03404.