nanog mailing list archives
Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
From: Ca By <cb.list6 () gmail com>
Date: Wed, 28 Feb 2018 00:41:43 +0000
On Tue, Feb 27, 2018 at 4:29 PM Filip Hruska <fhr () fhrnet eu> wrote:
This is just stupid. OVH is one of the largest server providers in the world - of course they will be at the top of that list. What exactly should they do, according to you?
They should have rough norms enforced on their traffic behavior , especially around udp. If they do 1tbs of udp, they should police to 3tbs or something similar. Why should people de-peer them?
Abuse. But abuse happens, failure to fix chronic is a reason to depeer... not one off. Personally, i do not peer with ovh because i need my upstream to rtbh their traffic.
Regards, Filip Hruska On 28 Feb 2018 at 1:13 am, <Dan Hollis <goemon () sasami anime net>> wrote: OVH does not suprise me in the least. Maybe this is finally what it will take to get people to de-peer them. -Dan On Tue, 27 Feb 2018, Ca By wrote:Please do take a look at the cloudflare blog specifically as they name and shame OVH and Digital Ocean for being the primary sources of mega crap traffic https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ Also, policer all UDP all the time... UDP is unsafe at any speed. On Tue, Feb 27, 2018 at 12:28 PM Barry Greene wrote:Hello Fellow NANOGer, If you have not already seen it, experiences it, or read about it, working to head off another reflection DOS vector. This time it is memcached on port 11211 UDP & TCP. There are active exploits using these ports. Reflection attacks and the memcached is not new. We know how reflection attacks work (send a spoofed packet to a device and have it reflected back (yes please deploy source address validation and BCP 38). Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. If you do not know about iACLs or Explorable port filters, you can use this white paper details and examples from peers on Exploitable Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic. Deploying these filters will help protect your network, your organization, your customers, and the Internet. Ping me 1:1 if you have questions. Sincerely, -- Barry Raveendran Greene Security Geek helping with OPSEC Trust Mobile: +1 408 218 4669 E-mail: bgreene () senki org ---------------------------- Resources on memcached Exploit (to evaluate your risk): More information about this attack vector can be found at the following: • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009) http://www.jpcert.or.jp/at/2018/at180009.html • Qrator Labs: The memcached amplification attacks reaching 500 Gbps https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98 • Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ • Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211 https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ • Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/ • Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf • Memcache Exploit http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
Current thread:
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks, (continued)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Rich Kulawiec (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Job Snijders (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Denys Fedoryshchenko (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Grzegorz Janoszka (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mike Hammett (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Steve Atkins (Feb 27)
- Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 27)
- Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)
- Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Rich Kulawiec (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Jean | ddostest.me via NANOG (Feb 28)