nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

From: Eric Kuhnke <eric.kuhnke () gmail com>
Date: Tue, 27 Feb 2018 13:16:37 -0800
I question whether there is *any* high volume hoster out there that has a
reputation for successfully addressing abuse issues coming from their
customer base, and cuts off services...  By high volume hoster I define it
as companies where anybody with a credit card can buy a $2 to $15/month
VPS/VM in a fully automated process.

OVH just happens to be one of the largest and probably ranks in the top 10
worldwide by number of hypervisors and VPS. I doubt whether any of their
30-40 competitors that are smaller than them do much better, considering
the ratio of clued and attentive staff to VMs.




On Tue, Feb 27, 2018 at 12:47 PM, Ca By <cb.list6 () gmail com> wrote:


Please do take a look at the cloudflare blog specifically as they name and
shame OVH and Digital Ocean for being the primary sources of mega crap
traffic

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-
port-11211/

Also, policer all UDP all the time... UDP is unsafe at any speed.


On Tue, Feb 27, 2018 at 12:28 PM Barry Greene <bgreene () senki org> wrote:


Hello Fellow NANOGer,

If you have not already seen it, experiences it, or read about it,

working

to head off another reflection DOS vector. This time it is memcached on
port 11211 UDP & TCP. There are active exploits using these ports.
Reflection attacks and the memcached is not new. We know how reflection
attacks work (send a spoofed packet to a device and have it reflected

back

(yes please deploy source address validation and BCP 38).

Operators are asked to review their networks and consider updating their
Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP
port 11211 for all ingress and egress traffic. If you do not know about
iACLs or Explorable port filters, you can use this white paper details

and

examples from peers on Exploitable Port Filters:
http://www.senki.org/operators-security-toolkit/

filtering-exploitable-ports-and-minimizing-risk-to-and-
from-your-customers/


Enterprises are also asked to update their iACLs, Exploitable Port
Filters, and Firewalls to track or block UDP/TCP port 11211 for all

ingress

and egress traffic.

Deploying these filters will help protect your network, your

organization,

your customers, and the Internet.

Ping me 1:1 if you have questions.

Sincerely,

--
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: bgreene () senki org

----------------------------
Resources on memcached Exploit (to evaluate your risk):

More information about this attack vector can be found at the following:

        • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
http://www.jpcert.or.jp/at/2018/at180009.html
        • Qrator Labs: The memcached amplification attacks reaching 500
Gbps

https://medium.com/@qratorlabs/the-memcached-

amplification-attack-reaching-500-gbps-b439a7b83c98

        • Arbor Networks: memcached Reflection/Amplification Description
and DDoS Attack Mitigation Recommendations

https://www.arbornetworks.com/blog/asert/memcached-

reflection-amplification-description-ddos-attack-
mitigation-recommendations/

        • Cloudflare: Memcrashed – Major amplification attacks from UDP
port 11211

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-

port-11211/

        • Link11: New High-Volume Vector: Memcached Reflection
Amplification Attacks

https://www.link11.com/en/blog/new-high-volume-vector-

memcached-reflection-amplification-attacks/

        • Blackhat Talk: The New Page of Injections Book: Memcached
Injections by Ivan Novikov

https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-

The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf

        • Memcache Exploit
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
Previous By Date Next
Previous By Thread Next

Current thread: