nanog mailing list archives

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

From: "K. Scott Helms" <kscotthelms () gmail com>
Date: Fri, 2 Mar 2018 16:18:37 -0500

I won't comment on the sanity of doing so, but _many_ service providers use
EMTAs, ATAs, and other voice devices over RFC1918 space back to their core.

On Fri, Mar 2, 2018 at 4:11 PM, Mark Andrews <marka () isc org> wrote:

Are you insane. ISPs should never use RFC 1918 addresses for stuff that
talks to their customers.  They have no way of knowing which addresses the
customers are using.

Traffic from RFC 1918 addresses should be dropped by any sane border
router which all routers connecting to a ISP are.

--
Mark Andrews

On 2 Mar 2018, at 22:49, Bjørn Mork <bjorn () mork no> wrote:

Owen DeLong <owen () delong com> writes:

I don’t agree that making RFC-1918 limitations a default in any daemon

makes any

sense whatsoever.


+1

One of the more annoying anti-features I know of in this regard is the
dnsmasq rebind "protection".  It claims to protect web browsers on the
LAN against DNS rebind attacks.  But the implementation does not
consider which adresses are used on the LAN at all.  It simply blocks
any A record pointing to an RFC1918 address, making a few bogus
assumptions:
- IPv4 LAN addresses are selected from RFC1918
- RFC1918 addresses are never used on the WAN side of a CPE
- Noone use IPv6 on their LAN

It's hard to know how many users have been bitten by the first
one. You'd have to depend on this rebind "protection" in the first
place, and that would be.... stupid.

But the second assumption regularily bites end users when their ISP
provides some ISP internal service using RFC1918 addresses.  Which of

course

is fine.

The anti-feature has been enabled by default in OpenWrt for a long time,
ref https://wiki.openwrt.org/doc/uci/dhcp#all_options , which means that
there is a large user base having this enabled without knowing.

First, there are plenty of LANs out there that don’t use RFC-1918.

Second, RFC-1918 doesn’t apply to IPv6 at all,


Could you try to explain that to the OpenWrt guys?  Thanks



Bjørn

Current thread:

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks, (continued)
- - - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mike Hammett (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Jippen (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Royce Williams (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Stephen Satchell (Mar 02)
  - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Bjørn Mork (Mar 02)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mark Andrews (Mar 02)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks K. Scott Helms (Mar 02)
    - Message not available
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks K. Scott Helms (Mar 02)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Michel 'ic' Luczak (Mar 04)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Stephen Satchell (Mar 02)