nanog mailing list archives

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

From: Ca By <cb.list6 () gmail com>
Date: Thu, 01 Mar 2018 02:12:13 +0000

On Wed, Feb 28, 2018 at 5:54 PM Job Snijders <job () ntt net> wrote:

On Tue, Feb 27, 2018 at 09:52:54PM +0000, Chip Marshall wrote:

On 2018-02-27, Ca By <cb.list6 () gmail com> sent:

Please do take a look at the cloudflare blog specifically as they
name and shame OVH and Digital Ocean for being the primary sources
of mega crap traffic

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/


Also, policer all UDP all the time... UDP is unsafe at any speed.


Hi, DigitalOcean here. We've taken steps to mitigate this attack on
our network.


NTT too has deployed rate limiters on all external facing interfaces on
the GIN backbone - for UDP/11211 traffic - to dampen the negative impact
of open memcached instances on peers and customers.

The toxic combination of 'one spoofed packet can yield multiple reponse
packets' and 'one small packet can yield a very big response' makes the
memcached UDP protocol a fine example of double trouble with potential
for severe operational impact.

Kind regards,

Job



Thanks Job. NTT is a very good internet steward, making common sense calls
.... not just sling bits by the kilo for $

Current thread:

New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Barry Greene (Feb 27)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 27)
  - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Eric Kuhnke (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Steve Atkins (Feb 27)
  - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Chip Marshall (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Roland Dobbins (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Justin Paine via NANOG (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Job Snijders (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 28)
  - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Rich Kulawiec (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Job Snijders (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Denys Fedoryshchenko (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Grzegorz Janoszka (Feb 28)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mike Hammett (Feb 28)
  - Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Filip Hruska (Feb 27)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Steve Atkins (Feb 27)
    - Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 27)
    - Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)

(Thread continues...)