Hello, welcome to the Wednesday, February 28th, 2018 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Lots of talk the last few days about massive denial of service attack that use the MAMCash server as a reflector.

Problem here is MAMCash is a very simple memory based as the name implies no SQL database.

So simple key value storage and well because it's simple there's really no access control plus it is accessible

via udp. Now udp based protocols are always somewhat susceptible to spoofing and that's exactly

what's happening here. An attacker is spoofing a victim's source IP address and then sending a stats, short for status command, to the Memcash server.

In response, you will get, well, a status report of the Memcash server, which is at least around a kilobyte in size, but maybe several hundred

kilobytes in size.

So there is a massive amplification factor here.

If you are at the bad end, at the receiving end of denial of service attack like this, you

should see a lot of inbound UDP packets coming

from port 11,211.

Now typically these denial of service attacks are large enough where a simple firewall filter

probably won't save the day.

Maybe you're lucky but you're probably better off

with going upstream to an anti-denial of service provider that will help you to filter this

traffic far away from your own network. On the other hand, the administrators who keep

Memcash exposed, really not much you can do to help them. It is actually, well, not hard,

but not that easy to expose Memcash like this. By default, it only listens on the loopback interface. And if you actually look

at the configuration file, it has a specific warning that, well, you should not expose it to the

internet. But we all know people like to put stuff like this in the cloud and then they need to

...