nanog mailing list archives

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

From: Grzegorz Janoszka <Grzegorz () Janoszka pl>
Date: Wed, 28 Feb 2018 21:23:20 +0100

On 2018-02-28 13:42, Denys Fedoryshchenko wrote:

I want to add one software vendor, who is major contributor to ddosattacks.Mikrotik till now shipping their quite popular routers, with wide openDNS recursor,that don't have even mechanism for ACL in it. Significant part of DNSamplification attacks
are such Mikrotik recursors.
They don't care till now.

I have mixed experiences with Mikrotik, but I don't think they would dosuch a stupid thing. A friend of my has three offices and each one hasmikrotik to form tunnels and one domain for all the company.

He is not too IP savvy, so he copy-pasted the VPN config from internetand left the rest as it was. His routers are not open DNS resolvers.


When I asked them I got no reply and their logs showed:

_drop input: in:ether1 out:(unknown 0), src-mac 00:AB:CD:81:c2:71, protoUDP, AAA.47.138.134:9082->BBB.146.251.103:53, len 51

His settings showed the DNS server ON with all the queries for the localnetwork and he actually had a toggle "allow remote queries" on, but hisrouters were not open resolvers.


--
Grzegorz Janoszka

Current thread:

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks, (continued)
- - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Chip Marshall (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Roland Dobbins (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Justin Paine via NANOG (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Job Snijders (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 28)
  - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Rich Kulawiec (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Job Snijders (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Denys Fedoryshchenko (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Grzegorz Janoszka (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mike Hammett (Feb 28)
  - Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Filip Hruska (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Steve Atkins (Feb 27)
    - Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 27)
    - Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)
    - Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Rich Kulawiec (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Jean | ddostest.me via NANOG (Feb 28)
- Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Brian Kantor (Feb 28)