Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

[Ca By <cb.list6 () gmail com>]

Please do take a look at the cloudflare blog specifically as they name and
shame OVH and Digital Ocean for being the primary sources of mega crap
traffic

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Also, policer all UDP all the time... UDP is unsafe at any speed.


On Tue, Feb 27, 2018 at 12:28 PM Barry Greene <bgreene () senki org> wrote:

> Hello Fellow NANOGer,
>
> If you have not already seen it, experiences it, or read about it, working
> to head off another reflection DOS vector. This time it is memcached on
> port 11211 UDP & TCP. There are active exploits using these ports.
> Reflection attacks and the memcached is not new. We know how reflection
> attacks work (send a spoofed packet to a device and have it reflected  back
> (yes please deploy source address validation and BCP 38).
>
> Operators are asked to review their networks and consider updating their
> Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP
> port 11211 for all ingress and egress traffic. If you do not know about
> iACLs or Explorable port filters, you can use this white paper details and
> examples from peers on Exploitable Port Filters:
> http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/
>
> Enterprises are also asked to update their iACLs, Exploitable Port
> Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress
> and egress traffic.
>
> Deploying these filters will help protect your network, your organization,
> your customers, and the Internet.
>
> Ping me 1:1 if you have questions.
>
> Sincerely,
>
> --
> Barry Raveendran Greene
> Security Geek helping with OPSEC Trust
> Mobile: +1 408 218 4669
> E-mail: bgreene () senki org
>
> ----------------------------
> Resources on memcached Exploit (to evaluate your risk):
>
> More information about this attack vector can be found at the following:
>
>         • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
> http://www.jpcert.or.jp/at/2018/at180009.html
>         • Qrator Labs: The memcached amplification attacks reaching 500
> Gbps
>
> https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
>         • Arbor Networks: memcached Reflection/Amplification Description
> and DDoS Attack Mitigation Recommendations
>
> https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
>         • Cloudflare: Memcrashed – Major amplification attacks from UDP
> port 11211
>
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
>         • Link11: New High-Volume Vector: Memcached Reflection
> Amplification Attacks
>
> https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
>         • Blackhat Talk: The New Page of Injections Book: Memcached
> Injections by Ivan Novikov
>
> https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
>         • Memcache Exploit
> http://niiconsulting.com/checkmate/2013/05/memcache-exploit/