New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
eric.kuhnke at gmail.com
Tue Feb 27 21:16:37 UTC 2018
I question whether there is *any* high volume hoster out there that has a
reputation for successfully addressing abuse issues coming from their
customer base, and cuts off services... By high volume hoster I define it
as companies where anybody with a credit card can buy a $2 to $15/month
VPS/VM in a fully automated process.
OVH just happens to be one of the largest and probably ranks in the top 10
worldwide by number of hypervisors and VPS. I doubt whether any of their
30-40 competitors that are smaller than them do much better, considering
the ratio of clued and attentive staff to VMs.
On Tue, Feb 27, 2018 at 12:47 PM, Ca By <cb.list6 at gmail.com> wrote:
> Please do take a look at the cloudflare blog specifically as they name and
> shame OVH and Digital Ocean for being the primary sources of mega crap
> Also, policer all UDP all the time... UDP is unsafe at any speed.
> On Tue, Feb 27, 2018 at 12:28 PM Barry Greene <bgreene at senki.org> wrote:
> > Hello Fellow NANOGer,
> > If you have not already seen it, experiences it, or read about it,
> > to head off another reflection DOS vector. This time it is memcached on
> > port 11211 UDP & TCP. There are active exploits using these ports.
> > Reflection attacks and the memcached is not new. We know how reflection
> > attacks work (send a spoofed packet to a device and have it reflected
> > (yes please deploy source address validation and BCP 38).
> > Operators are asked to review their networks and consider updating their
> > Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP
> > port 11211 for all ingress and egress traffic. If you do not know about
> > iACLs or Explorable port filters, you can use this white paper details
> > examples from peers on Exploitable Port Filters:
> > http://www.senki.org/operators-security-toolkit/
> > Enterprises are also asked to update their iACLs, Exploitable Port
> > Filters, and Firewalls to track or block UDP/TCP port 11211 for all
> > and egress traffic.
> > Deploying these filters will help protect your network, your
> > your customers, and the Internet.
> > Ping me 1:1 if you have questions.
> > Sincerely,
> > --
> > Barry Raveendran Greene
> > Security Geek helping with OPSEC Trust
> > Mobile: +1 408 218 4669
> > E-mail: bgreene at senki.org
> > ----------------------------
> > Resources on memcached Exploit (to evaluate your risk):
> > More information about this attack vector can be found at the following:
> > • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
> > http://www.jpcert.or.jp/at/2018/at180009.html
> > • Qrator Labs: The memcached amplification attacks reaching 500
> > Gbps
> > https://medium.com/@qratorlabs/the-memcached-
> > • Arbor Networks: memcached Reflection/Amplification Description
> > and DDoS Attack Mitigation Recommendations
> > https://www.arbornetworks.com/blog/asert/memcached-
> > • Cloudflare: Memcrashed – Major amplification attacks from UDP
> > port 11211
> > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-
> > • Link11: New High-Volume Vector: Memcached Reflection
> > Amplification Attacks
> > https://www.link11.com/en/blog/new-high-volume-vector-
> > • Blackhat Talk: The New Page of Injections Book: Memcached
> > Injections by Ivan Novikov
> > https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-
> > • Memcache Exploit
> > http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
More information about the NANOG