On the 5th March 2018 the worlds biggest DDOS attack was reported against a US based service provider. The DDos had a bandwidth of 1.7Tbps and was achieved using mis-configured Memcache servers. Memcached is a Linux daemon which caches data called from databases and allows subsequent database lookups to be pulled from the cache rather than the database. This is used to alleviate database load. Older versions of these servers can be controlled by sending TCP or UDP packets over port 11211 with specified commands. The Memcache daemon by default was bound to port 0.0.0.0 (All IPV4 adapters) and accepted both TCP and UDP data. This is where the problem arose and it meant the control interface for Memcached was publicly facing. The fact that it accepted UDP data also poses a problem. Unlike TCP where you have to perform the 3 way SYN,SYN-ACK,ACK handshake to establish a connection. With UDP this isn’t the case and therefore allows attackers to spoof the source IP address of a UDP packet directing it back to the victim. If data was added to the cache and then requested using a spoofed source UDP packet, It would allow a very small UDP requested to reflect a much larger response to the victim. When multiplied over 1000s of vulnerable Memcache servers it allows for a significant DDOS. I decided to start up a server and try and interact with the scanners currently searching for vulnerable Memcache servers.
The first stage of the process is to simply listen on port 11211 to see how scanners are interacting with Memcache servers. I left TCPDUMP running over a couple of days and found four different interactions.
Stats Scanning
The fist type of packet I received was Status scans. This was incoming UDP packets on port 11211 with the stats command in the payload. This causes the server to reply with general-purpose statistics and settings. The hex+ASCII dump can be found below:
1
2
3
4
0000 08 00 27 74 8e 80 08 00 27 d9 1b 7c 08 00 45 00 ..'t....'..|..E.
0010 00 2b ca 2b 40 00 40 11 ec 33 c0 a8 01 b6 c0 a8 .+.+@.@..3......
0020 01 5c 8d da 2b cb 00 17 84 8b 00 00 00 00 00 01 .\..+...........
0030 00 00 73 74 61 74 73 0d 0a ..stats..
Flushing
Another type of packet I received was the flush_all command. This simply invalidates all cached items. This command is being used as a method of stopping memcache servers from performing denial of service. You can find the hex+ASCII dump for this command below.
1
2
3
4
0000 08 00 27 74 8e 80 08 00 27 d9 1b 7c 08 00 45 00 ..'t....'..|..E.
0010 00 2f ca 25 40 00 40 11 ec 35 c0 a8 01 b6 c0 a8 ./.%@.@..5......
0020 01 5c eb 81 2b cb 00 1b 84 8f 00 00 00 00 00 01 .\..+...........
0030 00 00 66 6c 75 73 68 5f 61 6c 6c 0d 0a ..flush_all..
Clearing the cache will prevent the server from continuing to send data to the victim. The fact that I received a bunch of flush_all commands means that there are people trying to stop DDOS’s by flushing all discovered Memcache servers.
Version Scanning
The third type of packet I received requested the version using the version command. This simply returned the current version number of the Memcache server being queried. The hex+ASCII dump can be found below:
1
2
3
4
0000 08 00 27 74 8e 80 08 00 27 d9 1b 7c 08 00 45 00 ..'t....'..|..E.
0010 00 2d c5 f5 40 00 40 11 f0 67 c0 a8 01 b6 c0 a8 .-..@.@..g......
0020 01 5c c0 d6 2b cb 00 19 84 8d 00 00 00 00 00 01 .\..+...........
0030 00 00 76 65 72 73 69 6f 6e 0d 0a ..version..
Unknown Scan
I’m not quite sure of the purpose of the final type of packet I received. The packet can be downloaded below for you to look at. If you know what its for then please contact me using the links at the top of the page and let me know. The hex+ASCII dump can be found below:
1
2
3
4
5
6
7
0000 06 18 28 56 f0 64 06 df ca 54 fe 66 08 00 45 00 ..(V.d...T.f..E.
0010 00 5d 00 00 40 00 24 11 06 c3 7b f9 23 38 ac 1f .]..@.$...{.#8..
0020 04 7d 83 ea 2b cb 00 49 ec 53 00 01 00 00 00 01 .}..+..I.S......
0030 00 00 67 65 74 73 20 61 20 62 20 63 20 64 20 65 ..gets a b c d e
0040 20 66 20 67 20 68 20 6a 20 6b 20 6c 20 6d 20 6e f g h j k l m n
0050 20 6f 20 70 20 71 20 72 20 73 20 74 20 77 20 76 o p q r s t w v
0060 20 75 20 78 20 79 20 61 0d 0a 00 u x y a...
It looks to be trying to pull data from the cache. But using the alphabet as a key string.
It is evident that with the exception of all but the final mystery packet captured. They are all intended purely to determine weather the server they are scanning is vulnerable to the reflected DDOS. As I only had TCPdump running on port 11211, the scanners were not receiving the reply which indicated that the server was vulnerable. Therefore no more interaction took place. My next step was to write a script to reply to these scans the same way a vulnerable memcache server would.
Forging the replies
The easiest way to forge replies to these scans was to start my own memcache server in a virtual machine. Send the flush_all, stats and version commands to it and see how it responded. Memcache version 1.4.25 disabled UDP connections by default. Im assuming that the purpose of the version scans received was to determine if memcache was below this version and therefore more likly to be vulnerable. I installed version 1.4.24 for my testing. I piped echo through NC using the following three commands for version scan, flush all scan and stats scan respectively:
1
2
3
4
5
6
7
8
9
Version: echo -ne "\x00\x00\x00\x00\x00\x01\x00\x00\x76\x65\x72\x73\x69\x6f\x6e\x0d\x0a" | nc 192.168.1.92 -u 11211
Response HEX + ASCII:
0000 08 00 27 d9 1b 7c 08 00 27 74 8e 80 08 00 45 00 ..'..|..'t....E.
0010 00 34 39 33 40 00 40 11 7d 23 c0 a8 01 5c c0 a8 .493@.@.}#...\..
0020 01 b6 2b cb c0 d6 00 20 aa 05 00 00 00 00 00 01 ..+.... ........
0030 00 00 56 45 52 53 49 4f 4e 20 31 2e 34 2e 32 34 ..VERSION 1.4.24
0040 0d 0a ..
1
2
3
4
5
6
7
Flush_all: echo -ne "\x00\x00\x00\x00\x00\x01\x00\x00\x66\x6c\x75\x73\x68\x5f\x61\x6c\x6c\x0d\x0a" | nc 192.168.1.92 -u 11211
Response HEX + ASCII:
0000 08 00 27 d9 1b 7c 08 00 27 74 8e 80 08 00 45 00 ..'..|..'t....E.
0010 00 28 3b d7 40 00 40 11 7a 8b c0 a8 01 5c c0 a8 .(;.@.@.z....\..
0020 01 b6 2b cb eb 81 00 14 07 c0 00 00 00 00 00 01 ..+.............
0030 00 00 4f 4b 0d 0a 00 00 00 00 00 00 ..OK........
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
stats: echo -ne "\x00\x00\x00\x00\x00\x01\x00\x00\x73\x74\x61\x74\x73\x0d\x0a" | nc 192.168.1.92 -u 11211
Response HEX + ASCII:
0000 08 00 27 d9 1b 7c 08 00 27 74 8e 80 08 00 45 00 ..'..|..'t....E.
0010 04 8e 40 43 40 00 40 11 71 b9 c0 a8 01 5c c0 a8 ..@C@.@.q....\..
0020 01 b6 2b cb 8d da 04 7a c9 1a 00 00 00 00 00 01 ..+....z........
0030 00 00 53 54 41 54 20 70 69 64 20 32 37 38 30 0d ..STAT pid 2780.
0040 0a 53 54 41 54 20 75 70 74 69 6d 65 20 37 30 31 .STAT uptime 701
0050 0d 0a 53 54 41 54 20 74 69 6d 65 20 31 35 32 31 ..STAT time 1521
0060 33 38 32 38 30 30 0d 0a 53 54 41 54 20 76 65 72 382800..STAT ver
0070 73 69 6f 6e 20 31 2e 34 2e 32 34 0d 0a 53 54 41 sion 1.4.24..STA
0080 54 20 6c 69 62 65 76 65 6e 74 20 32 2e 31 2e 38 T libevent 2.1.8
0090 2d 73 74 61 62 6c 65 0d 0a 53 54 41 54 20 70 6f -stable..STAT po
00a0 69 6e 74 65 72 5f 73 69 7a 65 20 36 34 0d 0a 53 inter_size 64..S
00b0 54 41 54 20 72 75 73 61 67 65 5f 75 73 65 72 20 TAT rusage_user
00c0 30 2e 30 34 34 30 30 30 0d 0a 53 54 41 54 20 72 0.044000..STAT r
00d0 75 73 61 67 65 5f 73 79 73 74 65 6d 20 30 2e 30 usage_system 0.0
00e0 30 30 30 30 30 0d 0a 53 54 41 54 20 63 75 72 72 00000..STAT curr
00f0 5f 63 6f 6e 6e 65 63 74 69 6f 6e 73 20 39 0d 0a _connections 9..
0100 53 54 41 54 20 74 6f 74 61 6c 5f 63 6f 6e 6e 65 STAT total_conne
0110 63 74 69 6f 6e 73 20 31 30 0d 0a 53 54 41 54 20 ctions 10..STAT
0120 63 6f 6e 6e 65 63 74 69 6f 6e 5f 73 74 72 75 63 connection_struc
0130 74 75 72 65 73 20 31 30 0d 0a 53 54 41 54 20 72 tures 10..STAT r
0140 65 73 65 72 76 65 64 5f 66 64 73 20 32 30 0d 0a eserved_fds 20..
0150 53 54 41 54 20 63 6d 64 5f 67 65 74 20 30 0d 0a STAT cmd_get 0..
0160 53 54 41 54 20 63 6d 64 5f 73 65 74 20 30 0d 0a STAT cmd_set 0..
0170 53 54 41 54 20 63 6d 64 5f 66 6c 75 73 68 20 32 STAT cmd_flush 2
0180 0d 0a 53 54 41 54 20 63 6d 64 5f 74 6f 75 63 68 ..STAT cmd_touch
0190 20 30 0d 0a 53 54 41 54 20 67 65 74 5f 68 69 74 0..STAT get_hit
01a0 73 20 30 0d 0a 53 54 41 54 20 67 65 74 5f 6d 69 s 0..STAT get_mi
01b0 73 73 65 73 20 30 0d 0a 53 54 41 54 20 64 65 6c sses 0..STAT del
01c0 65 74 65 5f 6d 69 73 73 65 73 20 30 0d 0a 53 54 ete_misses 0..ST
01d0 41 54 20 64 65 6c 65 74 65 5f 68 69 74 73 20 30 AT delete_hits 0
01e0 0d 0a 53 54 41 54 20 69 6e 63 72 5f 6d 69 73 73 ..STAT incr_miss
01f0 65 73 20 30 0d 0a 53 54 41 54 20 69 6e 63 72 5f es 0..STAT incr_
0200 68 69 74 73 20 30 0d 0a 53 54 41 54 20 64 65 63 hits 0..STAT dec
0210 72 5f 6d 69 73 73 65 73 20 30 0d 0a 53 54 41 54 r_misses 0..STAT
0220 20 64 65 63 72 5f 68 69 74 73 20 30 0d 0a 53 54 decr_hits 0..ST
0230 41 54 20 63 61 73 5f 6d 69 73 73 65 73 20 30 0d AT cas_misses 0.
0240 0a 53 54 41 54 20 63 61 73 5f 68 69 74 73 20 30 .STAT cas_hits 0
0250 0d 0a 53 54 41 54 20 63 61 73 5f 62 61 64 76 61 ..STAT cas_badva
0260 6c 20 30 0d 0a 53 54 41 54 20 74 6f 75 63 68 5f l 0..STAT touch_
0270 68 69 74 73 20 30 0d 0a 53 54 41 54 20 74 6f 75 hits 0..STAT tou
0280 63 68 5f 6d 69 73 73 65 73 20 30 0d 0a 53 54 41 ch_misses 0..STA
0290 54 20 61 75 74 68 5f 63 6d 64 73 20 30 0d 0a 53 T auth_cmds 0..S
02a0 54 41 54 20 61 75 74 68 5f 65 72 72 6f 72 73 20 TAT auth_errors
02b0 30 0d 0a 53 54 41 54 20 62 79 74 65 73 5f 72 65 0..STAT bytes_re
02c0 61 64 20 32 33 34 0d 0a 53 54 41 54 20 62 79 74 ad 234..STAT byt
02d0 65 73 5f 77 72 69 74 74 65 6e 20 31 32 30 37 0d es_written 1207.
02e0 0a 53 54 41 54 20 6c 69 6d 69 74 5f 6d 61 78 62 .STAT limit_maxb
02f0 79 74 65 73 20 36 37 31 30 38 38 36 34 0d 0a 53 ytes 67108864..S
0300 54 41 54 20 61 63 63 65 70 74 69 6e 67 5f 63 6f TAT accepting_co
0310 6e 6e 73 20 31 0d 0a 53 54 41 54 20 6c 69 73 74 nns 1..STAT list
0320 65 6e 5f 64 69 73 61 62 6c 65 64 5f 6e 75 6d 20 en_disabled_num
0330 30 0d 0a 53 54 41 54 20 74 68 72 65 61 64 73 20 0..STAT threads
0340 34 0d 0a 53 54 41 54 20 63 6f 6e 6e 5f 79 69 65 4..STAT conn_yie
0350 6c 64 73 20 30 0d 0a 53 54 41 54 20 68 61 73 68 lds 0..STAT hash
0360 5f 70 6f 77 65 72 5f 6c 65 76 65 6c 20 31 36 0d _power_level 16.
0370 0a 53 54 41 54 20 68 61 73 68 5f 62 79 74 65 73 .STAT hash_bytes
0380 20 35 32 34 32 38 38 0d 0a 53 54 41 54 20 68 61 524288..STAT ha
0390 73 68 5f 69 73 5f 65 78 70 61 6e 64 69 6e 67 20 sh_is_expanding
03a0 30 0d 0a 53 54 41 54 20 6d 61 6c 6c 6f 63 5f 66 0..STAT malloc_f
03b0 61 69 6c 73 20 30 0d 0a 53 54 41 54 20 62 79 74 ails 0..STAT byt
03c0 65 73 20 30 0d 0a 53 54 41 54 20 63 75 72 72 5f es 0..STAT curr_
03d0 69 74 65 6d 73 20 30 0d 0a 53 54 41 54 20 74 6f items 0..STAT to
03e0 74 61 6c 5f 69 74 65 6d 73 20 30 0d 0a 53 54 41 tal_items 0..STA
03f0 54 20 65 78 70 69 72 65 64 5f 75 6e 66 65 74 63 T expired_unfetc
0400 68 65 64 20 30 0d 0a 53 54 41 54 20 65 76 69 63 hed 0..STAT evic
0410 74 65 64 5f 75 6e 66 65 74 63 68 65 64 20 30 0d ted_unfetched 0.
0420 0a 53 54 41 54 20 65 76 69 63 74 69 6f 6e 73 20 .STAT evictions
0430 30 0d 0a 53 54 41 54 20 72 65 63 6c 61 69 6d 65 0..STAT reclaime
0440 64 20 30 0d 0a 53 54 41 54 20 63 72 61 77 6c 65 d 0..STAT crawle
0450 72 5f 72 65 63 6c 61 69 6d 65 64 20 30 0d 0a 53 r_reclaimed 0..S
0460 54 41 54 20 63 72 61 77 6c 65 72 5f 69 74 65 6d TAT crawler_item
0470 73 5f 63 68 65 63 6b 65 64 20 30 0d 0a 53 54 41 s_checked 0..STA
0480 54 20 6c 72 75 74 61 69 6c 5f 72 65 66 6c 6f 63 T lrutail_refloc
0490 6b 65 64 20 30 0d 0a 45 4e 44 0d 0a ked 0..END..
The packet capture for the 3 message types can be downloaded below If your interested. I next I wrote a small python script to listen for any UDP packets incoming on port 11211. It then identified if the packet was a version, flush_all or stats packet and responded appropriately base on the same responses I received from the test memcache server I setup.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
from scapy.all import *
def replyFunction(packet):
if 'version' in str(packet):
send(IP(dst=packet[0][1].src) / UDP(sport=11211, dport=packet.sport) / '\x00\x00\x00\x00\x00\x01\x00\x00\x56\x45\x52\x53\x49\x4f\x4e\x20\x31\x2e\x34\x2e\x32\x34\x0d\x0a')
if 'stats' in str(packet):
send(IP(dst=packet[0][1].src) / UDP(sport=11211, dport=packet.sport) / statsPayload)
if 'flush' in str(packet):
send(IP(dst=packet[0][1].src) / UDP(sport=11211, dport=packet.sport) / '\x00\x00\x00\x00\x00\x01\x00\x00\x4f\x4b\x0d\x0a')
statsPayload = '\x00\x00\x00\x00\x00\x01\x00\x00\x53\x54\x41\x54\x20\x70\x69\x64\x20\x32\x37\x38\x30\x0d\x0a\x53\x54\x41\x54\x20 \
\x75\x70\x74\x69\x6d\x65\x20\x37\x30\x31\x0d\x0a\x53\x54\x41\x54\x20\x74\x69\x6d\x65\x20\x31\x35\x32\x31\x33\x38\x32 \
\x38\x30\x30\x0d\x0a\x53\x54\x41\x54\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\x31\x2e\x34\x2e\x32\x34\x0d\x0a\x53\x54\x41 \
\x54\x20\x6c\x69\x62\x65\x76\x65\x6e\x74\x20\x32\x2e\x31\x2e\x38\x2d\x73\x74\x61\x62\x6c\x65\x0d\x0a\x53\x54\x41\x54 \
\x20\x70\x6f\x69\x6e\x74\x65\x72\x5f\x73\x69\x7a\x65\x20\x36\x34\x0d\x0a\x53\x54\x41\x54\x20\x72\x75\x73\x61\x67\x65 \
\x5f\x75\x73\x65\x72\x20\x30\x2e\x30\x34\x34\x30\x30\x30\x0d\x0a\x53\x54\x41\x54\x20\x72\x75\x73\x61\x67\x65\x5f\x73 \
\x79\x73\x74\x65\x6d\x20\x30\x2e\x30\x30\x30\x30\x30\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x75\x72\x72\x5f\x63\x6f\x6e \
\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x39\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x74\x61\x6c\x5f\x63\x6f\x6e\x6e\x65\x63 \
\x74\x69\x6f\x6e\x73\x20\x31\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x5f\x73\x74\x72 \
\x75\x63\x74\x75\x72\x65\x73\x20\x31\x30\x0d\x0a\x53\x54\x41\x54\x20\x72\x65\x73\x65\x72\x76\x65\x64\x5f\x66\x64\x73 \
\x20\x32\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6d\x64\x5f\x67\x65\x74\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6d\x64 \
\x5f\x73\x65\x74\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6d\x64\x5f\x66\x6c\x75\x73\x68\x20\x32\x0d\x0a\x53\x54\x41 \
\x54\x20\x63\x6d\x64\x5f\x74\x6f\x75\x63\x68\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x67\x65\x74\x5f\x68\x69\x74\x73\x20 \
\x30\x0d\x0a\x53\x54\x41\x54\x20\x67\x65\x74\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65 \
\x6c\x65\x74\x65\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65\x6c\x65\x74\x65\x5f\x68\x69 \
\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x69\x6e\x63\x72\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41 \
\x54\x20\x69\x6e\x63\x72\x5f\x68\x69\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65\x63\x72\x5f\x6d\x69\x73\x73 \
\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65\x63\x72\x5f\x68\x69\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20 \
\x63\x61\x73\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x61\x73\x5f\x68\x69\x74\x73\x20\x30 \
\x0d\x0a\x53\x54\x41\x54\x20\x63\x61\x73\x5f\x62\x61\x64\x76\x61\x6c\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x75 \
\x63\x68\x5f\x68\x69\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x75\x63\x68\x5f\x6d\x69\x73\x73\x65\x73\x20 \
\x30\x0d\x0a\x53\x54\x41\x54\x20\x61\x75\x74\x68\x5f\x63\x6d\x64\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x61\x75\x74 \
\x68\x5f\x65\x72\x72\x6f\x72\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x62\x79\x74\x65\x73\x5f\x72\x65\x61\x64\x20\x32 \
\x33\x34\x0d\x0a\x53\x54\x41\x54\x20\x62\x79\x74\x65\x73\x5f\x77\x72\x69\x74\x74\x65\x6e\x20\x31\x32\x30\x37\x0d\x0a \
\x53\x54\x41\x54\x20\x6c\x69\x6d\x69\x74\x5f\x6d\x61\x78\x62\x79\x74\x65\x73\x20\x36\x37\x31\x30\x38\x38\x36\x34\x0d \
\x0a\x53\x54\x41\x54\x20\x61\x63\x63\x65\x70\x74\x69\x6e\x67\x5f\x63\x6f\x6e\x6e\x73\x20\x31\x0d\x0a\x53\x54\x41\x54 \
\x20\x6c\x69\x73\x74\x65\x6e\x5f\x64\x69\x73\x61\x62\x6c\x65\x64\x5f\x6e\x75\x6d\x20\x30\x0d\x0a\x53\x54\x41\x54\x20 \
\x74\x68\x72\x65\x61\x64\x73\x20\x34\x0d\x0a\x53\x54\x41\x54\x20\x63\x6f\x6e\x6e\x5f\x79\x69\x65\x6c\x64\x73\x20\x30 \
\x0d\x0a\x53\x54\x41\x54\x20\x68\x61\x73\x68\x5f\x70\x6f\x77\x65\x72\x5f\x6c\x65\x76\x65\x6c\x20\x31\x36\x0d\x0a\x53 \
\x54\x41\x54\x20\x68\x61\x73\x68\x5f\x62\x79\x74\x65\x73\x20\x35\x32\x34\x32\x38\x38\x0d\x0a\x53\x54\x41\x54\x20\x68 \
\x61\x73\x68\x5f\x69\x73\x5f\x65\x78\x70\x61\x6e\x64\x69\x6e\x67\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x6d\x61\x6c\x6c \
\x6f\x63\x5f\x66\x61\x69\x6c\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x62\x79\x74\x65\x73\x20\x30\x0d\x0a\x53\x54\x41 \
\x54\x20\x63\x75\x72\x72\x5f\x69\x74\x65\x6d\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x74\x61\x6c\x5f\x69\x74 \
\x65\x6d\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x65\x78\x70\x69\x72\x65\x64\x5f\x75\x6e\x66\x65\x74\x63\x68\x65\x64 \
\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x65\x76\x69\x63\x74\x65\x64\x5f\x75\x6e\x66\x65\x74\x63\x68\x65\x64\x20\x30\x0d \
\x0a\x53\x54\x41\x54\x20\x65\x76\x69\x63\x74\x69\x6f\x6e\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x72\x65\x63\x6c\x61 \
\x69\x6d\x65\x64\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x72\x61\x77\x6c\x65\x72\x5f\x72\x65\x63\x6c\x61\x69\x6d\x65 \
\x64\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x72\x61\x77\x6c\x65\x72\x5f\x69\x74\x65\x6d\x73\x5f\x63\x68\x65\x63\x6b \
\x65\x64\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x6c\x72\x75\x74\x61\x69\x6c\x5f\x72\x65\x66\x6c\x6f\x63\x6b\x65\x64\x20 \
\x30\x0d\x0a\x45\x4e\x44\x0d\x0a'
while True:
memCachePacket = sniff(filter='udp and port 11211', count=1, prn=replyFunction)
this script will be left running on the server for a while along with TCPDump. Now the server responds like a memcache server it would expect to see some attempts to push data to the fake server in attempt to perform a DDOS. In the next blog post I will analyse the results from that.