注册
登录
近日,国内外多家安全公司和机构接连发布了针对 Memcached 超级DRDoS(Distributed Reflection Denial of Service)攻击的预警,引发各方关注。雷锋网此前也曾就其对 GitHub 发起的攻击进行过报道,当时攻击的最大峰值流量达到了惊人的 1.35T。 要知道,在2月27号之前,Memcached的反射攻击事件流量范围不过几百兆到500G。只有短短几天,攻击峰值的历史纪录就迅速被翻倍刷新,并且攻击发生的频率从一天十几次到几百次,呈现爆发式增长。 目前,Memcached分布情况如何?黑客是如何发起攻击的?应该如何检查和预防? 1、事件回顾据监控数据显示,从本周一至周五(2月26日至3月2日 06:00)短短5天内,全球就发生了 79 起利用 Memcached 协议的反射放大攻击。日攻击总流量最高达到 419TBytes。  Memcached反射放大攻击日攻击次数  Memcached反射放大攻击日攻击总流量 其中,针对我国境内的 Memcached 反射放大攻击就有68次,江苏、浙江两省被攻击频繁。针对我国境内的攻击,单次攻击最高攻击峰值达 505Gbps。攻击持续时间最长的一次发生在3月1日,持续1.2小时,总攻击流量达103.8TBytes。  中国各省份地区Memcached反射放大攻击次数 从影响范围来看,所有互联网的业务都可能成为Memcached DRDoS的攻击对象。一方面带宽或业务遭受超大流量的攻击,导致出口带宽完全被占满,正常业务无法访问;另一方面企业内部的Memcached系统可能被不法分子利用成为攻击帮凶。 2、攻击分析2.1 什么是Memcached? Memcached是一个高性能的开源分布式内存对象缓存系统,主要用于提高Web应用的扩展性,能够有效解决大数据缓存的很多问题,在全球范围内都有广泛使用。Memcached基于内存的key-value存储小块数据,并使用该数据完成数据库调用、API调用或页面渲染等。攻击者正是利用 key-value 这项功能构造了大流量的Memcached反射攻击。 2.2 Memcached分布情况 最新统计显示,全球总共有3790个Memcached服务器被利用参与到这些Memcached反射放大攻击。这些被利用反射源遍布于全球96个国家或地区范围内。其中,美国就占了全球的1/4。  分布在中国地区的被利用的Memcached服务器位列第二位,占比12.7%。在中国各省份占比如下所示,广东、北京、浙江为TOP3。 据绿盟科技威胁情报中心(NSFOCUS Network Threat Intelligence,简称NTI)的统计结果显示,全球范围内存在被利用风险的Memcached服务器为104,506台。分布情况如下:  从地理分布来看,美国可被利用的Memcached服务器最多,其次是中国。  这些活跃的Memcached反射器为构造超级DRDoS攻击提供了有力的先决条件。如果不及时修复治理,预计基于Memcached反射攻击的攻击事件会继续增加,后果不敢想象。 2.3 Memcached如何形成DRDoS攻击? Memcached反射攻击的构造过程分为如下3步; 1. 收集反射器IP 通过NTI/Shodan等情报引擎找到开放的Memcached系统,获取系统IP; 2. 配置反射器 利用开放的Memcached系统作为反射器,并修改key-value配置实现较大的存储容量,为构造反射放大攻击进行准备; 3. 发起反射攻击 攻击者将自身IP伪造成攻击的目标地址,并向Memcached反射器发送请求读取Memcached在key-value中存储的信息。Memcached在收到请求后向伪造的虚假源IP进行回复,从而形成反射。  Memcached反射攻击示意图 当大量Memcached被同时利用,并用同一个伪造源IP进行回复,就轻而易举地形成了针对这个伪造源(受害者)的大流量DRDoS攻击。 2.4 Memcached的攻击特征 DRDoS(Distributed Reflective Denial-of-Service)是DDoS攻击分类中的一种。 此前各类安全厂商监测到的DRDoS攻击主要是SSDP反射、DNS反射、NTP反射等。下表(引自US-Cert)详细列举了各类反射攻击的放大倍数。  仅从放大倍数来看,Memcached反射攻击的危害程度远远高于其他反射攻击类型,US-Cert提供的数据显示它能够实现51,000倍的放大效果。 与其他反射攻击相比,Memcached如何实现这么多倍的放大效果呢?其中的重要原因就是Memcached的key-value功能。前文提到key-value的作用是决定存储容量的大小,正常情况下key-value的值通常不超过几千字节。当Memcached被攻击者利用作为反射器时,key-value的值经过修改可以达到100万字节以上。 攻击过程: 第一步,通过命令修改Memcached上的key-value参数,以提升放大倍数。 send = "set t 0 900 1048501" + "\r\n" + ‘a’ * 1048501 + "\r\n" socket.sendall(send) 经验证,key-value的最大值为1048501。 第二步通过get命令读取Memcached的存储信息,并反射到目标IP。 get="\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00get t\r\n" socket.sendto(get, (host, 11211)) 形成的攻击报文如下:  触发Memcached反射攻击的请求报文最小为15字节,包含为8字节(RFC规定字段)+3字节 (get)+1(空格)+最小为1字节(键的名称 )+2字节 (\r\n),而返回的请求数据达到105万字节,理论上可放大到接近7万倍。如此强悍的放大攻击,与其他各类DRDoS攻击形成断崖式的差距对比。 3、Memcached攻击防护加固建议3.1 Memcached系统自查建议 攻击的形成过程为我们提供了一个很好的预警思路,安全产品可针对Memcached的key-value配置进行检测,在Memcached系统被利用成为攻击源之前就进行拦截。检测流程如下:  (1)检测目的端口为11211的TCP或UDP报文(确保是Memcached服务器); (2)检测报文是否为set命令(set命令格式参见附录),如果是则执行(3),否则结束检测; (3)检测set命令后面的bytes字段值(如下图中标注的1048501),是否超过设定的阈值,如果是,则可以怀疑该报文存在异常;  (4)检测到该类异常控制报文后,可有如下两种处理方式: a.告警并监控。为了防止被误杀,建议同时监控该Memcached服务器后面的流量变化来进一步判断该服务器是否被用做了反射器。 b. 直接丢弃。如果有足够的证据表明该记录是恶意添加的,直接丢弃可以保证服务器不被当做反射器。 自查举例:假设下图是公网的一台Memcached服务器上获取的数据。 通常情况下,多数value的大小都在64K以内,而最后一条的达到了将近1M,与其他记录有很明显的差别,基本上可以判断该记录存在问题,该服务器可能已经被利用。 3.2 Memcached攻击流量清洗 面对如此大规模、大范围的DDoS攻击威胁,所有网络安全节点都应该加强防范,从攻击防护和外发清洗两方面入手,充分保障基础设施和业务流量的安全。针对此攻击,我们提供如下防护建议: ·运营商。 运营商及IDC处于网络上游,拥有强大的带宽资源,是攻击最直接的受害者,也是防护的第一道屏障。运营商能够灵活控制路由策略和防护策略进行快速过滤。 1)在边界配置UDP访问控制规则,将源端口为11211的报文进行阻断或限速; 2)在边界配置BGP FlowSpec策略,对源端口为11211的UDP流量进行阻断或限速; 3)利用DDoS防护设备将源端口为11211的UDP流量进行阻断或限速。 ·企业用户 企业用户通常贴近服务终端,熟悉掌握自身业务流量特点,策略配置更加明确,灵活性强。 1)大型企业客户可以采用和运营商相同的策略,在出口边界设备配置UDP访问控制规则或BGP FlowSpec策略对源端口为11211的UDP流量进行阻断或限速; 2)不具备出口路由配置权限的企业客户,可以在抗DDoS等设备上配置防护策略,对源端口为11211的UDP流量进行阻断或限速; 3)考虑企业出口带宽可能被打满的情况,企业客户可通过运营商或云清洗服务在上游执行清洗策略,策略内容同样是对源端口为11211的UDP流量进行阻断或限速。 3.3 Memcached系统防护加固 对于正在使用Memcached系统的用户,为了避免被攻击者利用,使Memcached成为攻击源,对外发起攻击流量,影响自身系统性能,我们提供如下几点建议。 1)在边界网络设备上配置URPF策略,过滤外发的虚假源IP报文; 2)在Memcached系统前进行深度检测,直接过滤报文特征中set key 0 900 64000的第三个字段过大的数据包,这样做可以在Memcached系统被修改利用成为攻击源前进行拦截; 3)对Memcached服务进行安全检查,查看Memcached服务是否监听UDP端口。查找Memcached进程,查看是否有-l参数,如果没有则默认为0.0.0.0。若Memcached服务不需要监听UDP,禁用UDP。详情参考Memcached官方文档: https://github.com/memcached/memcached/wiki/ConfiguringServer#udp 附录set 命令的基本语法格式如下: set key flags exptime bytes [noreply] value 参数说明如下: key:键值 key-value 结构中的 key,用于查找缓存值。 flags:包括键值对的整型参数,客户机使用它存储关于键值对的额外信息 。 exptime:在缓存中保存键值对的时间长度(以秒为单位,0 表示永远) bytes:在缓存中存储的字节数 noreply(可选): 该参数告知服务器不需要返回数据 value:存储的值(始终位于第二行)(可直接理解为key-value结构中的value) 相关文章:GitHub 遭遇有史以来最严重DDoS攻击,黑客想玩票大的? 此文为绿盟科技&电信云堤联合投稿,雷锋网编辑。 , groupId: 6529307640344871437, itemId: 6529307640344871437, type: 2, subInfo: { isOriginal: false, source: 雷锋网, time: 2018-03-05 12:08:03 }, tagInfo: { tags: [{"name":"Memcached"},{"name":"美国"},{"name":"DNS"},{"name":"黑客"},{"name":"绿盟科技"}], groupId: 6529307640344871437, itemId: 6529307640344871437, repin: 0, }, has_extern_link: 0 }, commentInfo: { groupId: 6529307640344871437, itemId: 6529307640344871437, comments_count: 5, ban_comment: 0 }, mediaInfo: { uid: 6101038992, name: 雷锋网, avatar: //p3.pstatp.com/large/2b7000b08216d5fe4e6, openUrl: /c/user/6101038992/, follow: false }, pgcInfo: {"media_info":{"open_url":"/c/user/6101038992/","avatar_url":"https://p3.pstatp.com/large/2b7000b08216d5fe4e6","media_id":6101038992,"name":"雷锋网","user_verified":false},"articles":[{"item_id":"6529432198213272078","url":"/item/6529432198213272078","title":"Uber创始人欲建区块链支付网络,赠予用户5000亿代币"},{"item_id":"6529400107383652867","url":"/item/6529400107383652867","title":"顾维维就任百度新兴业务及技术体系市场负责人 直接向张亚勤汇报"},{"item_id":"6529400101855560195","url":"/item/6529400101855560195","title":"因黑客盗走5亿美元代币,日本16家加密货币交易所成立自律组织"},{"item_id":"6529400102082052622","url":"/item/6529400102082052622","title":"PayPal欲推“快速虚拟货币交易系统”"}]}, feedInfo: { url: /api/pc/feed/, category: __all__, initList: [{"comments_count":0,"media_avatar_url":"//p10.pstatp.com/large/150d000df10abd500b0b","is_feed_ad":false,"is_diversion_page":false,"title":"“A closed book”不是“一本关上的书”","single_mode":true,"gallary_image_count":6,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6529150532852908552/","source":"柯林阅读","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/65b7001db243345369c6","group_id":"6529150532852908552","is_related":true,"media_url":"/c/user/4766121872/"},{"comments_count":19,"media_avatar_url":"//p6.pstatp.com/large/5949000415c52dc52f9d","is_feed_ad":false,"is_diversion_page":false,"title":"Java程序员百度面试攻略,针针见血,助你成功拿到百度offer","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6503754658358493710/","source":"JAVA架构进阶技术","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p9.pstatp.com/list/190x124/50a700055dc366e5be04","group_id":"6503754658358493710","is_related":true,"media_url":"/c/user/5906569121/"},{"comments_count":39,"media_avatar_url":"//p1.pstatp.com/large/4b0100026274e1b075d9","is_feed_ad":false,"is_diversion_page":false,"title":"十分钟学会Redis,就这么简单","single_mode":true,"gallary_image_count":81,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6507370633981067780/","source":"我是一只燃烧的火鸟","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/56780003fae790f8bd22","group_id":"6507370633981067780","is_related":true,"media_url":"/c/user/5544662271/"},{"comments_count":54,"media_avatar_url":"//p1.pstatp.com/large/567d000381ede03470dc","is_feed_ad":false,"is_diversion_page":false,"title":"[安全工具]SSH客户端神器MobaXterm,该抛弃putty、Xshell和CRT了","single_mode":true,"gallary_image_count":19,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6527143721975153166/","source":"虫虫安全","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/66b7000300d4e8eea980","group_id":"6527143721975153166","is_related":true,"media_url":"/c/user/84552109427/"},{"comments_count":8,"media_avatar_url":"//p8.pstatp.com/large/4aed0001cf2e44842ded","is_feed_ad":false,"is_diversion_page":false,"title":"zookeeper设计原则和工作原理","single_mode":true,"gallary_image_count":7,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6500040588123963917/","source":"JAVA小生","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/4e700003630fedf3117a","group_id":"6500040588123963917","is_related":true,"media_url":"/c/user/61576980894/"},{"comments_count":17,"media_avatar_url":"//p3.pstatp.com/large/56850000401dd6eec8c1","is_feed_ad":false,"is_diversion_page":false,"title":"IPFS——未来分布式永久有效的互联网HTTP","single_mode":true,"gallary_image_count":5,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6508631640166629896/","source":"BT学习交流","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/56840003d0cb1a7e4711","group_id":"6508631640166629896","is_related":true,"media_url":"/c/user/1614525349/"},{"comments_count":20,"media_avatar_url":"//p3.pstatp.com/large/50a6000363d38548b9cb","is_feed_ad":false,"is_diversion_page":false,"title":"64位操作系统真的能支持16EB内存吗?","single_mode":true,"gallary_image_count":2,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6515637695350309384/","source":"歪脖人言","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5b5800021ed965c5d735","group_id":"6515637695350309384","is_related":true,"media_url":"/c/user/82547815825/"},{"comments_count":4,"media_avatar_url":"//p3.pstatp.com/large/5e830004fbb0386ea230","is_feed_ad":false,"is_diversion_page":false,"title":"我所了解的Restful","single_mode":true,"gallary_image_count":2,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6527498440060961293/","source":"我所知道的","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p9.pstatp.com/list/190x124/66b900053ed439d12757","group_id":"6527498440060961293","is_related":true,"media_url":"/c/user/91504389465/"},{"comments_count":18,"media_avatar_url":"//p1.pstatp.com/large/4b0100026274e1b075d9","is_feed_ad":false,"is_diversion_page":false,"title":"搞定mysql优化,十分钟就够了","single_mode":true,"gallary_image_count":42,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6510087097238422019/","source":"我是一只燃烧的火鸟","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":2,"image_url":"//p3.pstatp.com/list/190x124/56940003bbccd252a3f7","group_id":"6510087097238422019","is_related":true,"media_url":"/c/user/5544662271/"},{"comments_count":20,"media_avatar_url":"//p1.pstatp.com/large/4b0100026274e1b075d9","is_feed_ad":false,"is_diversion_page":false,"title":"身为程序员的你不得不看,史上最详细的SVN教程","single_mode":true,"gallary_image_count":74,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6508963146512728590/","source":"我是一只燃烧的火鸟","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":2,"image_url":"//p1.pstatp.com/list/190x124/568c000101a1c4f1dcfa","group_id":"6508963146512728590","is_related":true,"media_url":"/c/user/5544662271/"},{"media_avatar_url":"//p5a.pstatp.com/large/5acb000723cf60d046bb","is_feed_ad":false,"is_diversion_page":false,"title":"轻�0�5级微服务架构技能图谱之微服务基础","single_mode":false,"gallary_image_count":0,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6519382527365349895/","source":"程序员庞深","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"comments_count":2,"group_id":"6519382527365349895","is_related":true,"media_url":"/c/user/50999024546/"},{"comments_count":14,"media_avatar_url":"//p1.pstatp.com/large/289a0000aac89d3b80cb","is_feed_ad":false,"is_diversion_page":false,"title":"玩儿游戏还可以编程 你怕了吗 妈妈再也不用担心我的学习","single_mode":true,"gallary_image_count":10,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6515242315500487175/","source":"玩转树莓派","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":37,"image_url":"//p3.pstatp.com/list/190x124/5b51000513c6de123cd5","group_id":"6515242315500487175","is_related":true,"media_url":"/c/user/4587092865/"},{"comments_count":1,"media_avatar_url":"//p1.pstatp.com/large/53f0000406e585be9225","is_feed_ad":false,"is_diversion_page":false,"title":"Qt Creator软件在window下GUI应用,信号和信号槽的联系!","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6512395173714985476/","source":"小小梦想家张先生","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5946000116b0a9241d63","group_id":"6512395173714985476","is_related":true,"media_url":"/c/user/76094120606/"},{"comments_count":20,"media_avatar_url":"//p1.pstatp.com/large/4b0100026274e1b075d9","is_feed_ad":false,"is_diversion_page":false,"title":"十分钟让你学会LNMP架构负载均衡","single_mode":true,"gallary_image_count":44,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6504873140420608526/","source":"我是一只燃烧的火鸟","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/53ea0004938545bcba99","group_id":"6504873140420608526","is_related":true,"media_url":"/c/user/5544662271/"},{"comments_count":36,"media_avatar_url":"//p3.pstatp.com/large/4700000194b6cd4efb36","is_feed_ad":false,"is_diversion_page":false,"title":"为什么很多公司不要从IT培训机构出来的程序员?想转行的人注意!","single_mode":true,"gallary_image_count":6,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6500550736013689357/","source":"嘟嘟黑科技","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"image_url":"//p3.pstatp.com/list/190x124/4e760002b0a261801cd2","group_id":"6500550736013689357","is_related":true,"media_url":"/c/user/6965519406/"},{"comments_count":2,"media_avatar_url":"//p1.pstatp.com/large/50950003697c80b81fac","is_feed_ad":false,"is_diversion_page":false,"title":"常用linux命令","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6503796853908177422/","source":"东三环的coder","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/50ac000057618cf202aa","group_id":"6503796853908177422","is_related":true,"media_url":"/c/user/72916831480/"},{"comments_count":0,"media_avatar_url":"//p3.pstatp.com/large/46f90002887660cfab9d","is_feed_ad":false,"is_diversion_page":false,"title":"做生物信息学分析碰壁?其实是你没有用对工具","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6527497067378508291/","source":"深圳南博屹生物科技","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/66b70005c4ce9be839ed","group_id":"6527497067378508291","is_related":true,"media_url":"/c/user/76878498408/"},{"comments_count":26,"media_avatar_url":"//p1.pstatp.com/large/4b0100026274e1b075d9","is_feed_ad":false,"is_diversion_page":false,"title":"五分钟带你详解Nginx","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6510421437671539213/","source":"我是一只燃烧的火鸟","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/5930000216a8f8b47654","group_id":"6510421437671539213","is_related":true,"media_url":"/c/user/5544662271/"},{"comments_count":4,"media_avatar_url":"//p3.pstatp.com/large/5937000103c8818800e4","is_feed_ad":false,"is_diversion_page":false,"title":"迁移之路——从Ubuntu到Fedora(1)","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520063516299231758/","source":"魏智勇","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"image_url":"//p3.pstatp.com/list/190x124/61610000b5d63521302b","group_id":"6520063516299231758","is_related":true,"media_url":"/c/user/83482462187/"},{"comments_count":25,"media_avatar_url":"//p1.pstatp.com/large/436c00024b87c9b7db43","is_feed_ad":false,"is_diversion_page":false,"title":"Python 竟然可以在论文显得神逼格!","single_mode":true,"gallary_image_count":19,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520923392705561096/","source":"我的一点点看法","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":2,"image_url":"//p3.pstatp.com/list/190x124/5e7a00034289dd97a016","group_id":"6520923392705561096","is_related":true,"media_url":"/c/user/74735846681/"}] }, shareInfo: { shareUrl: https://m.toutiao.com/item/6529307640344871437/, abstract: 雷锋网此前也曾就其对GitHub发起的攻击进行过报道,当时攻击的最大峰值流量达到了惊人的1.35T。 |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|
