back to article Cavalry riding to the rescue of DDoS-deluged memcached users

DDoS attacks taking advantage of ill-advised use of memcached have begun to decline, either because sysadmins are securing the process, or because people are using a potentially-troublesome “kill switch”. Memcached is a handy caching tool that can improve database performance but has no security controls because it was never …

  1. Anonymous Coward
    Anonymous Coward

    I suppose that the use of this flush_all command is a bit like going on to a neighbour's property to put out a fire started by an unattended BBQ that's grown big enough to be threatening one's own. That is, the neighbour almost certainly will be grateful.

    1. Voland's right hand Silver badge

      That is, the neighbour almost certainly will be grateful.

      Not necessarily. ~10 years ago the kids next door successfully spilled petrol while siphoning it out dad's Nissan to fill up their motorcycles. Then they somehow managed to set it on fire. I got there just in time with a fire extinguisher to put it off. A few more seconds and it would have made a very nice caboom - the lids on car tank and the motorcycle tank were still off with fire burning nicely under the car. I put off and left it at that. They gave me "the evil eye" for the next 5 years until the whole family moved out (by that time one of the kids fledged and left).

      Coming back to memcached - if you have someone antisocial enough to leave it in this state after all the publicity you should not expect him to react sanely after you issue the equivalent of "drop database" on him.

    2. tip pc Silver badge
      FAIL

      What’s the difference

      What’s the difference between someone causing your machine to send some traffic to a remote target consuming some bandwidth that you don’t notice and someone sending commands to your machine intentionally causing it to dramatically slow down?

      You can guarantee all those that had no clue their machines where involved in ddos would be hugely pissed to find their machines now under attack from do gooders. You’ll find out how grateful they are when you get a visit by the police, or if in the US and your lucky, the fbi break down your door otherwise the local police come in guns blazing shooting first and asking questions later.

    3. Ilsa Loving

      Resp

      >I suppose that the use of this flush_all command is a bit like going on to a neighbour's property to put out a fire started by an unattended BBQ that's grown big enough to be threatening one's own. That is, the neighbour almost certainly will be grateful.

      I still remember when a long time ago a neighbour got his internet shut down because he had been infected with spamspewing malware. While I was troubleshooting exactly what was going on, he fumed about how none of this was his fault or his responsibility and his ISP should have protected him.

      I told him his only option was to reformat his hard drive and there was nothing else I could do. I sure as hell wasn't going to help him for free.

      So yeah, don't count on people stupid enough to set up an unsecured and unpatched memcached server to be thankful that their incompetence was called out.

      Simple rules for setting up a server on the internet:

      -Is it a backend server? Put it behind a firewall and set up network ACLs to restrict access to minimum required to function.

      -does it assist a front-end server? Put it behind a firewall and set up network ACLs to restrict access to minimum required to function.

      -Is it a front-end server? Put it behind a firewall and poke one hole the and set up network ACLs to restrict access to minimum required to function. AND also restrict public URLs to only the ones the public should use if your server provides separate maintenance/admin URLs.

  2. TRT Silver badge

    "because changing the contents of a computer you don't own is illegal in many or most jurisdictions."

    Isn't that like every API, every server request, every web page?

  3. Anonymous Coward
    Anonymous Coward

    In the US thats a shootin from the Feds

  4. sitta_europea Silver badge

    Use Tor.

    1. Speckled Jim

      Not in this circumstance.

  5. Anonymous Coward Silver badge
    Megaphone

    Auto responders

    Set it up so that when you receive the flood from a DDoS, you reply back with this command. That way it can count as self-defence and you bypass all of these issues.

    1. John Sager

      Re: Auto responders

      Well, I wouldn't like to be the one to test this in court, especially if the dosser was in the US. Then we get into all the extradition shit that a few naughty boys here have had to endure.

    2. OldCrow
      Holmes

      Re: Auto responders

      Wasn't there a law for this in the U.S.?

      One that allows to "hack back" your hacker?

      Or is it still in the making?

      1. Claptrap314 Silver badge

        Re: Auto responders

        The first guy to propose that got a visit from the FBI that resulted in him rolling up what to that point had been his livelihood. According to him, the FBI's real concern (which they did not explicitly state) appeared to involve the fact that at the time (mid-to-late nineties) that the NSA & the Chinese were in a daily competition to see who could do more hacking.

        So, no. Computer hacking is on the list of rights exclusive to the State here in the US.

  6. Anonymous Coward
    Anonymous Coward

    killswitch

    Intruding on someone's computer never stopped anyone before... see Welchia/Nachi vs Blaster

  7. Brian Miller

    Slow?

    It seems the slow business of getting memcached hidden behind firewalls...

    Slow? No, more like lethargic, or, given the circumstance, slothful.

    It doesn't take that long to write good iptables rules.

    1. yoganmahew

      Re: Slow?

      @Brian

      "It doesn't take that long to write good iptables rules."

      You, my friend, have never worked for an enterprise! Useful work is measured in minutes of the day. Documentation, process, stories, agile-me-hole, fills the remainder of the week/month/quarter before you get through six sign-off milestones to production.

  8. TrumpSlurp the Troll
    Trollface

    Simples

    Spoof the source address on the flush_all command.

    After all somebody spoofed your address to launch the attack.

    Source for the goose is source for the gander.

    1. Adrian 4

      Re: Simples

      Upvoted for the pun.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like