_                           _    _____                      _ _           ____  _             
      | |                         ( )  / ____|                    (_) |         |  _ \| |            
      | | __ _ _ __ ___   ___  ___|/  | (___   ___  ___ _   _ _ __ _| |_ _   _  | |_) | | ___   __ _ 
  _   | |/ _` | '_ ` _ \ / _ \/ __|    \___ \ / _ \/ __| | | | '__| | __| | | | |  _ <| |/ _ \ / _` |
 | |__| | (_| | | | | | |  __/\__ \    ____) |  __/ (__| |_| | |  | | |_| |_| | | |_) | | (_) | (_| |
  \____/ \__,_|_| |_| |_|\___||___/   |_____/ \___|\___|\__,_|_|  |_|\__|\__, | |____/|_|\___/ \__, |
                                                                          __/ |                 __/ |
                                                                         |___/                 |___/ 
    Home    Twitter: @Xtrato    Email: james[at]jamesdotcom.com    PGP Key    GitHub: Xtrato    Youtube: Xtratozorz    RSS Feed

18th March 2018 || Memcache Scanner Interactions

On the 5th March 2018 the worlds biggest DDOS attack was reported against a US based service provider. The DDos had a bandwidth of 1.7Tbps and was achieved using mis-configured Memcache servers. Memcached is a Linux daemon which caches data called from databases and allows subsequent database lookups to be pulled from the cache rather than the database. This is used to alleviate database load. Older versions of these servers can be controlled by sending TCP or UDP packets over port 11211 with specified commands. The Memcache daemon by default was bound to port 0.0.0.0 (All IPV4 adapters) and accepted both TCP and UDP data. This is where the problem arose and it meant the control interface for Memcached was publicly facing. The fact that it accepted UDP data also poses a problem. Unlike TCP where you have to perform the 3 way SYN,SYN-ACK,ACK handshake to establish a connection. With UDP this isn't the case and therefore allows attackers to spoof the source IP address of a UDP packet directing it back to the victim. If data was added to the cache and then requested using a spoofed source UDP packet, It would allow a very small UDP requested to reflect a much larger response to the victim. When multiplied over 1000s of vulnerable Memcache servers it allows for a significant DDOS. I decided to start up a server and try and interact with the scanners currently searching for vulnerable Memcache servers.

The first stage of the process is to simply listen on port 11211 to see how scanners are interacting with Memcache servers. I left TCPDUMP running over a couple of days and found four different interactions.

Stats Scanning

The fist type of packet I received was Status scans. This was incoming UDP packets on port 11211 with the stats command in the payload. This causes the server to reply with general-purpose statistics and settings. The hex+ASCII dump can be found below:

0000   08 00 27 74 8e 80 08 00 27 d9 1b 7c 08 00 45 00  ..'t....'..|..E.
0010   00 2b ca 2b 40 00 40 11 ec 33 c0 a8 01 b6 c0 a8  .+.+@.@..3......
0020   01 5c 8d da 2b cb 00 17 84 8b 00 00 00 00 00 01  .\..+...........
0030   00 00 73 74 61 74 73 0d 0a                       ..stats..

Flushing

Another type of packet I received was the flush_all command. This simply invalidates all cached items. This command is being used as a method of stopping memcache servers from performing denial of service. You can find the hex+ASCII dump for this command below.

0000   08 00 27 74 8e 80 08 00 27 d9 1b 7c 08 00 45 00  ..'t....'..|..E.
0010   00 2f ca 25 40 00 40 11 ec 35 c0 a8 01 b6 c0 a8  ./.%@.@..5......
0020   01 5c eb 81 2b cb 00 1b 84 8f 00 00 00 00 00 01  .\..+...........
0030   00 00 66 6c 75 73 68 5f 61 6c 6c 0d 0a           ..flush_all..
Clearing the cache will prevent the server from continuing to send data to the victim. The fact that I received a bunch of flush_all commands means that there are people trying to stop DDOS's by flushing all discovered Memcache servers.

Version Scanning

The third type of packet I received requested the version using the version command. This simply returned the current version number of the Memcache server being queried. The hex+ASCII dump can be found below:

0000   08 00 27 74 8e 80 08 00 27 d9 1b 7c 08 00 45 00  ..'t....'..|..E.
0010   00 2d c5 f5 40 00 40 11 f0 67 c0 a8 01 b6 c0 a8  .-..@.@..g......
0020   01 5c c0 d6 2b cb 00 19 84 8d 00 00 00 00 00 01  .\..+...........
0030   00 00 76 65 72 73 69 6f 6e 0d 0a                 ..version..

Unknown Scan

I'm not quite sure of the purpose of the final type of packet I received. The packet can be downloaded HERE for you to look at. If you know what its for then please contact me using the links at the top of the page and let me know. The hex+ASCII dump can be found below:

0000   06 18 28 56 f0 64 06 df ca 54 fe 66 08 00 45 00  ..(V.d...T.f..E.
0010   00 5d 00 00 40 00 24 11 06 c3 7b f9 23 38 ac 1f  .]..@.$...{.#8..
0020   04 7d 83 ea 2b cb 00 49 ec 53 00 01 00 00 00 01  .}..+..I.S......
0030   00 00 67 65 74 73 20 61 20 62 20 63 20 64 20 65  ..gets a b c d e
0040   20 66 20 67 20 68 20 6a 20 6b 20 6c 20 6d 20 6e   f g h j k l m n
0050   20 6f 20 70 20 71 20 72 20 73 20 74 20 77 20 76   o p q r s t w v
0060   20 75 20 78 20 79 20 61 0d 0a 00                  u x y a...
It looks to be trying to pull data from the cache. But using the alphabet as a key string.

It is evident that with the exception of all but the final mystery packet captured. They are all intended purely to determine weather the server they are scanning is vulnerable to the reflected DDOS. As I only had TCPdump running on port 11211, the scanners were not receiving the reply which indicated that the server was vulnerable. Therefore no more interaction took place. My next step was to write a script to reply to these scans the same way a vulnerable memcache server would.

Forging the replies

The easiest way to forge replies to these scans was to start my own memcache server in a virtual machine. Send the flush_all, stats and version commands to it and see how it responded. Memcache version 1.4.25 disabled UDP connections by default. Im assuming that the purpose of the version scans received was to determine if memcache was below this version and therefore more likly to be vulnerable. I installed version 1.4.24 for my testing. I piped echo through NC using the following three commands for version scan, flush all scan and stats scan respectively:

Version:		echo -ne "\x00\x00\x00\x00\x00\x01\x00\x00\x76\x65\x72\x73\x69\x6f\x6e\x0d\x0a" | nc 192.168.1.92 -u 11211

Response HEX + ASCII:		

0000   08 00 27 d9 1b 7c 08 00 27 74 8e 80 08 00 45 00  ..'..|..'t....E.
0010   00 34 39 33 40 00 40 11 7d 23 c0 a8 01 5c c0 a8  .493@.@.}#...\..
0020   01 b6 2b cb c0 d6 00 20 aa 05 00 00 00 00 00 01  ..+.... ........
0030   00 00 56 45 52 53 49 4f 4e 20 31 2e 34 2e 32 34  ..VERSION 1.4.24
0040   0d 0a                                            ..
Flush_all:		echo -ne "\x00\x00\x00\x00\x00\x01\x00\x00\x66\x6c\x75\x73\x68\x5f\x61\x6c\x6c\x0d\x0a" | nc 192.168.1.92 -u 11211
Response HEX + ASCII:		

0000   08 00 27 d9 1b 7c 08 00 27 74 8e 80 08 00 45 00  ..'..|..'t....E.
0010   00 28 3b d7 40 00 40 11 7a 8b c0 a8 01 5c c0 a8  .(;.@.@.z....\..
0020   01 b6 2b cb eb 81 00 14 07 c0 00 00 00 00 00 01  ..+.............
0030   00 00 4f 4b 0d 0a 00 00 00 00 00 00              ..OK........
stats: 			echo -ne "\x00\x00\x00\x00\x00\x01\x00\x00\x73\x74\x61\x74\x73\x0d\x0a" | nc 192.168.1.92 -u 11211
Response HEX + ASCII:		

0000   08 00 27 d9 1b 7c 08 00 27 74 8e 80 08 00 45 00  ..'..|..'t....E.
0010   04 8e 40 43 40 00 40 11 71 b9 c0 a8 01 5c c0 a8  ..@C@.@.q....\..
0020   01 b6 2b cb 8d da 04 7a c9 1a 00 00 00 00 00 01  ..+....z........
0030   00 00 53 54 41 54 20 70 69 64 20 32 37 38 30 0d  ..STAT pid 2780.
0040   0a 53 54 41 54 20 75 70 74 69 6d 65 20 37 30 31  .STAT uptime 701
0050   0d 0a 53 54 41 54 20 74 69 6d 65 20 31 35 32 31  ..STAT time 1521
0060   33 38 32 38 30 30 0d 0a 53 54 41 54 20 76 65 72  382800..STAT ver
0070   73 69 6f 6e 20 31 2e 34 2e 32 34 0d 0a 53 54 41  sion 1.4.24..STA
0080   54 20 6c 69 62 65 76 65 6e 74 20 32 2e 31 2e 38  T libevent 2.1.8
0090   2d 73 74 61 62 6c 65 0d 0a 53 54 41 54 20 70 6f  -stable..STAT po
00a0   69 6e 74 65 72 5f 73 69 7a 65 20 36 34 0d 0a 53  inter_size 64..S
00b0   54 41 54 20 72 75 73 61 67 65 5f 75 73 65 72 20  TAT rusage_user 
00c0   30 2e 30 34 34 30 30 30 0d 0a 53 54 41 54 20 72  0.044000..STAT r
00d0   75 73 61 67 65 5f 73 79 73 74 65 6d 20 30 2e 30  usage_system 0.0
00e0   30 30 30 30 30 0d 0a 53 54 41 54 20 63 75 72 72  00000..STAT curr
00f0   5f 63 6f 6e 6e 65 63 74 69 6f 6e 73 20 39 0d 0a  _connections 9..
0100   53 54 41 54 20 74 6f 74 61 6c 5f 63 6f 6e 6e 65  STAT total_conne
0110   63 74 69 6f 6e 73 20 31 30 0d 0a 53 54 41 54 20  ctions 10..STAT 
0120   63 6f 6e 6e 65 63 74 69 6f 6e 5f 73 74 72 75 63  connection_struc
0130   74 75 72 65 73 20 31 30 0d 0a 53 54 41 54 20 72  tures 10..STAT r
0140   65 73 65 72 76 65 64 5f 66 64 73 20 32 30 0d 0a  eserved_fds 20..
0150   53 54 41 54 20 63 6d 64 5f 67 65 74 20 30 0d 0a  STAT cmd_get 0..
0160   53 54 41 54 20 63 6d 64 5f 73 65 74 20 30 0d 0a  STAT cmd_set 0..
0170   53 54 41 54 20 63 6d 64 5f 66 6c 75 73 68 20 32  STAT cmd_flush 2
0180   0d 0a 53 54 41 54 20 63 6d 64 5f 74 6f 75 63 68  ..STAT cmd_touch
0190   20 30 0d 0a 53 54 41 54 20 67 65 74 5f 68 69 74   0..STAT get_hit
01a0   73 20 30 0d 0a 53 54 41 54 20 67 65 74 5f 6d 69  s 0..STAT get_mi
01b0   73 73 65 73 20 30 0d 0a 53 54 41 54 20 64 65 6c  sses 0..STAT del
01c0   65 74 65 5f 6d 69 73 73 65 73 20 30 0d 0a 53 54  ete_misses 0..ST
01d0   41 54 20 64 65 6c 65 74 65 5f 68 69 74 73 20 30  AT delete_hits 0
01e0   0d 0a 53 54 41 54 20 69 6e 63 72 5f 6d 69 73 73  ..STAT incr_miss
01f0   65 73 20 30 0d 0a 53 54 41 54 20 69 6e 63 72 5f  es 0..STAT incr_
0200   68 69 74 73 20 30 0d 0a 53 54 41 54 20 64 65 63  hits 0..STAT dec
0210   72 5f 6d 69 73 73 65 73 20 30 0d 0a 53 54 41 54  r_misses 0..STAT
0220   20 64 65 63 72 5f 68 69 74 73 20 30 0d 0a 53 54   decr_hits 0..ST
0230   41 54 20 63 61 73 5f 6d 69 73 73 65 73 20 30 0d  AT cas_misses 0.
0240   0a 53 54 41 54 20 63 61 73 5f 68 69 74 73 20 30  .STAT cas_hits 0
0250   0d 0a 53 54 41 54 20 63 61 73 5f 62 61 64 76 61  ..STAT cas_badva
0260   6c 20 30 0d 0a 53 54 41 54 20 74 6f 75 63 68 5f  l 0..STAT touch_
0270   68 69 74 73 20 30 0d 0a 53 54 41 54 20 74 6f 75  hits 0..STAT tou
0280   63 68 5f 6d 69 73 73 65 73 20 30 0d 0a 53 54 41  ch_misses 0..STA
0290   54 20 61 75 74 68 5f 63 6d 64 73 20 30 0d 0a 53  T auth_cmds 0..S
02a0   54 41 54 20 61 75 74 68 5f 65 72 72 6f 72 73 20  TAT auth_errors 
02b0   30 0d 0a 53 54 41 54 20 62 79 74 65 73 5f 72 65  0..STAT bytes_re
02c0   61 64 20 32 33 34 0d 0a 53 54 41 54 20 62 79 74  ad 234..STAT byt
02d0   65 73 5f 77 72 69 74 74 65 6e 20 31 32 30 37 0d  es_written 1207.
02e0   0a 53 54 41 54 20 6c 69 6d 69 74 5f 6d 61 78 62  .STAT limit_maxb
02f0   79 74 65 73 20 36 37 31 30 38 38 36 34 0d 0a 53  ytes 67108864..S
0300   54 41 54 20 61 63 63 65 70 74 69 6e 67 5f 63 6f  TAT accepting_co
0310   6e 6e 73 20 31 0d 0a 53 54 41 54 20 6c 69 73 74  nns 1..STAT list
0320   65 6e 5f 64 69 73 61 62 6c 65 64 5f 6e 75 6d 20  en_disabled_num 
0330   30 0d 0a 53 54 41 54 20 74 68 72 65 61 64 73 20  0..STAT threads 
0340   34 0d 0a 53 54 41 54 20 63 6f 6e 6e 5f 79 69 65  4..STAT conn_yie
0350   6c 64 73 20 30 0d 0a 53 54 41 54 20 68 61 73 68  lds 0..STAT hash
0360   5f 70 6f 77 65 72 5f 6c 65 76 65 6c 20 31 36 0d  _power_level 16.
0370   0a 53 54 41 54 20 68 61 73 68 5f 62 79 74 65 73  .STAT hash_bytes
0380   20 35 32 34 32 38 38 0d 0a 53 54 41 54 20 68 61   524288..STAT ha
0390   73 68 5f 69 73 5f 65 78 70 61 6e 64 69 6e 67 20  sh_is_expanding 
03a0   30 0d 0a 53 54 41 54 20 6d 61 6c 6c 6f 63 5f 66  0..STAT malloc_f
03b0   61 69 6c 73 20 30 0d 0a 53 54 41 54 20 62 79 74  ails 0..STAT byt
03c0   65 73 20 30 0d 0a 53 54 41 54 20 63 75 72 72 5f  es 0..STAT curr_
03d0   69 74 65 6d 73 20 30 0d 0a 53 54 41 54 20 74 6f  items 0..STAT to
03e0   74 61 6c 5f 69 74 65 6d 73 20 30 0d 0a 53 54 41  tal_items 0..STA
03f0   54 20 65 78 70 69 72 65 64 5f 75 6e 66 65 74 63  T expired_unfetc
0400   68 65 64 20 30 0d 0a 53 54 41 54 20 65 76 69 63  hed 0..STAT evic
0410   74 65 64 5f 75 6e 66 65 74 63 68 65 64 20 30 0d  ted_unfetched 0.
0420   0a 53 54 41 54 20 65 76 69 63 74 69 6f 6e 73 20  .STAT evictions 
0430   30 0d 0a 53 54 41 54 20 72 65 63 6c 61 69 6d 65  0..STAT reclaime
0440   64 20 30 0d 0a 53 54 41 54 20 63 72 61 77 6c 65  d 0..STAT crawle
0450   72 5f 72 65 63 6c 61 69 6d 65 64 20 30 0d 0a 53  r_reclaimed 0..S
0460   54 41 54 20 63 72 61 77 6c 65 72 5f 69 74 65 6d  TAT crawler_item
0470   73 5f 63 68 65 63 6b 65 64 20 30 0d 0a 53 54 41  s_checked 0..STA
0480   54 20 6c 72 75 74 61 69 6c 5f 72 65 66 6c 6f 63  T lrutail_refloc
0490   6b 65 64 20 30 0d 0a 45 4e 44 0d 0a              ked 0..END..

The packet capture for the 3 message types can be downloaded HERE If your interested. I next I wrote a small python script to listen for any UDP packets incoming on port 11211. It then identified if the packet was a version, flush_all or stats packet and responded appropriately base on the same responses I received from the test memcache server I setup.

from scapy.all import *
def replyFunction(packet):
    if 'version' in str(packet):
        send(IP(dst=packet[0][1].src) / UDP(sport=11211, dport=packet.sport) / '\x00\x00\x00\x00\x00\x01\x00\x00\x56\x45\x52\x53\x49\x4f\x4e\x20\x31\x2e\x34\x2e\x32\x34\x0d\x0a')
    if 'stats' in str(packet):
        send(IP(dst=packet[0][1].src) / UDP(sport=11211, dport=packet.sport) / statsPayload)
    if 'flush' in str(packet):
        send(IP(dst=packet[0][1].src) / UDP(sport=11211, dport=packet.sport) / '\x00\x00\x00\x00\x00\x01\x00\x00\x4f\x4b\x0d\x0a')

statsPayload = '\x00\x00\x00\x00\x00\x01\x00\x00\x53\x54\x41\x54\x20\x70\x69\x64\x20\x32\x37\x38\x30\x0d\x0a\x53\x54\x41\x54\x20 \
\x75\x70\x74\x69\x6d\x65\x20\x37\x30\x31\x0d\x0a\x53\x54\x41\x54\x20\x74\x69\x6d\x65\x20\x31\x35\x32\x31\x33\x38\x32 \
\x38\x30\x30\x0d\x0a\x53\x54\x41\x54\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\x31\x2e\x34\x2e\x32\x34\x0d\x0a\x53\x54\x41 \
\x54\x20\x6c\x69\x62\x65\x76\x65\x6e\x74\x20\x32\x2e\x31\x2e\x38\x2d\x73\x74\x61\x62\x6c\x65\x0d\x0a\x53\x54\x41\x54 \
\x20\x70\x6f\x69\x6e\x74\x65\x72\x5f\x73\x69\x7a\x65\x20\x36\x34\x0d\x0a\x53\x54\x41\x54\x20\x72\x75\x73\x61\x67\x65 \
\x5f\x75\x73\x65\x72\x20\x30\x2e\x30\x34\x34\x30\x30\x30\x0d\x0a\x53\x54\x41\x54\x20\x72\x75\x73\x61\x67\x65\x5f\x73 \
\x79\x73\x74\x65\x6d\x20\x30\x2e\x30\x30\x30\x30\x30\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x75\x72\x72\x5f\x63\x6f\x6e \
\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x39\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x74\x61\x6c\x5f\x63\x6f\x6e\x6e\x65\x63 \
\x74\x69\x6f\x6e\x73\x20\x31\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x5f\x73\x74\x72 \
\x75\x63\x74\x75\x72\x65\x73\x20\x31\x30\x0d\x0a\x53\x54\x41\x54\x20\x72\x65\x73\x65\x72\x76\x65\x64\x5f\x66\x64\x73 \
\x20\x32\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6d\x64\x5f\x67\x65\x74\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6d\x64 \
\x5f\x73\x65\x74\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x6d\x64\x5f\x66\x6c\x75\x73\x68\x20\x32\x0d\x0a\x53\x54\x41 \
\x54\x20\x63\x6d\x64\x5f\x74\x6f\x75\x63\x68\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x67\x65\x74\x5f\x68\x69\x74\x73\x20 \
\x30\x0d\x0a\x53\x54\x41\x54\x20\x67\x65\x74\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65 \
\x6c\x65\x74\x65\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65\x6c\x65\x74\x65\x5f\x68\x69 \
\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x69\x6e\x63\x72\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41 \
\x54\x20\x69\x6e\x63\x72\x5f\x68\x69\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65\x63\x72\x5f\x6d\x69\x73\x73 \
\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x64\x65\x63\x72\x5f\x68\x69\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20 \
\x63\x61\x73\x5f\x6d\x69\x73\x73\x65\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x61\x73\x5f\x68\x69\x74\x73\x20\x30 \
\x0d\x0a\x53\x54\x41\x54\x20\x63\x61\x73\x5f\x62\x61\x64\x76\x61\x6c\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x75 \
\x63\x68\x5f\x68\x69\x74\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x75\x63\x68\x5f\x6d\x69\x73\x73\x65\x73\x20 \
\x30\x0d\x0a\x53\x54\x41\x54\x20\x61\x75\x74\x68\x5f\x63\x6d\x64\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x61\x75\x74 \
\x68\x5f\x65\x72\x72\x6f\x72\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x62\x79\x74\x65\x73\x5f\x72\x65\x61\x64\x20\x32 \
\x33\x34\x0d\x0a\x53\x54\x41\x54\x20\x62\x79\x74\x65\x73\x5f\x77\x72\x69\x74\x74\x65\x6e\x20\x31\x32\x30\x37\x0d\x0a \
\x53\x54\x41\x54\x20\x6c\x69\x6d\x69\x74\x5f\x6d\x61\x78\x62\x79\x74\x65\x73\x20\x36\x37\x31\x30\x38\x38\x36\x34\x0d \
\x0a\x53\x54\x41\x54\x20\x61\x63\x63\x65\x70\x74\x69\x6e\x67\x5f\x63\x6f\x6e\x6e\x73\x20\x31\x0d\x0a\x53\x54\x41\x54 \
\x20\x6c\x69\x73\x74\x65\x6e\x5f\x64\x69\x73\x61\x62\x6c\x65\x64\x5f\x6e\x75\x6d\x20\x30\x0d\x0a\x53\x54\x41\x54\x20 \
\x74\x68\x72\x65\x61\x64\x73\x20\x34\x0d\x0a\x53\x54\x41\x54\x20\x63\x6f\x6e\x6e\x5f\x79\x69\x65\x6c\x64\x73\x20\x30 \
\x0d\x0a\x53\x54\x41\x54\x20\x68\x61\x73\x68\x5f\x70\x6f\x77\x65\x72\x5f\x6c\x65\x76\x65\x6c\x20\x31\x36\x0d\x0a\x53 \
\x54\x41\x54\x20\x68\x61\x73\x68\x5f\x62\x79\x74\x65\x73\x20\x35\x32\x34\x32\x38\x38\x0d\x0a\x53\x54\x41\x54\x20\x68 \
\x61\x73\x68\x5f\x69\x73\x5f\x65\x78\x70\x61\x6e\x64\x69\x6e\x67\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x6d\x61\x6c\x6c \
\x6f\x63\x5f\x66\x61\x69\x6c\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x62\x79\x74\x65\x73\x20\x30\x0d\x0a\x53\x54\x41 \
\x54\x20\x63\x75\x72\x72\x5f\x69\x74\x65\x6d\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x74\x6f\x74\x61\x6c\x5f\x69\x74 \
\x65\x6d\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x65\x78\x70\x69\x72\x65\x64\x5f\x75\x6e\x66\x65\x74\x63\x68\x65\x64 \
\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x65\x76\x69\x63\x74\x65\x64\x5f\x75\x6e\x66\x65\x74\x63\x68\x65\x64\x20\x30\x0d \
\x0a\x53\x54\x41\x54\x20\x65\x76\x69\x63\x74\x69\x6f\x6e\x73\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x72\x65\x63\x6c\x61 \
\x69\x6d\x65\x64\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x72\x61\x77\x6c\x65\x72\x5f\x72\x65\x63\x6c\x61\x69\x6d\x65 \
\x64\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x63\x72\x61\x77\x6c\x65\x72\x5f\x69\x74\x65\x6d\x73\x5f\x63\x68\x65\x63\x6b \
\x65\x64\x20\x30\x0d\x0a\x53\x54\x41\x54\x20\x6c\x72\x75\x74\x61\x69\x6c\x5f\x72\x65\x66\x6c\x6f\x63\x6b\x65\x64\x20 \
\x30\x0d\x0a\x45\x4e\x44\x0d\x0a'
		
while True:
	memCachePacket = sniff(filter='udp and port 11211', count=1, prn=replyFunction)

this script will be left running on the server for a while along with TCPDump. Now the server responds like a memcache server it would expect to see some attempts to push data to the fake server in attempt to perform a DDOS. In the next blog post I will analyse the results from that.