New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
bgreene at senki.org
Tue Feb 27 20:27:02 UTC 2018
Hello Fellow NANOGer,
If you have not already seen it, experiences it, or read about it, working to head off another reflection DOS vector. This time it is memcached on port 11211 UDP & TCP. There are active exploits using these ports. Reflection attacks and the memcached is not new. We know how reflection attacks work (send a spoofed packet to a device and have it reflected back (yes please deploy source address validation and BCP 38).
Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. If you do not know about iACLs or Explorable port filters, you can use this white paper details and examples from peers on Exploitable Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/
Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.
Deploying these filters will help protect your network, your organization, your customers, and the Internet.
Ping me 1:1 if you have questions.
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: bgreene at senki.org
Resources on memcached Exploit (to evaluate your risk):
More information about this attack vector can be found at the following:
• JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
• Qrator Labs: The memcached amplification attacks reaching 500 Gbps
• Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations
• Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211
• Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks
• Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov
• Memcache Exploit
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: Message signed with OpenPGP
More information about the NANOG