New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
goemon at sasami.anime.net
Wed Feb 28 00:13:23 UTC 2018
OVH does not suprise me in the least.
Maybe this is finally what it will take to get people to de-peer them.
On Tue, 27 Feb 2018, Ca By wrote:
> Please do take a look at the cloudflare blog specifically as they name and
> shame OVH and Digital Ocean for being the primary sources of mega crap
> Also, policer all UDP all the time... UDP is unsafe at any speed.
> On Tue, Feb 27, 2018 at 12:28 PM Barry Greene <bgreene at senki.org> wrote:
>> Hello Fellow NANOGer,
>> If you have not already seen it, experiences it, or read about it, working
>> to head off another reflection DOS vector. This time it is memcached on
>> port 11211 UDP & TCP. There are active exploits using these ports.
>> Reflection attacks and the memcached is not new. We know how reflection
>> attacks work (send a spoofed packet to a device and have it reflected back
>> (yes please deploy source address validation and BCP 38).
>> Operators are asked to review their networks and consider updating their
>> Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP
>> port 11211 for all ingress and egress traffic. If you do not know about
>> iACLs or Explorable port filters, you can use this white paper details and
>> examples from peers on Exploitable Port Filters:
>> Enterprises are also asked to update their iACLs, Exploitable Port
>> Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress
>> and egress traffic.
>> Deploying these filters will help protect your network, your organization,
>> your customers, and the Internet.
>> Ping me 1:1 if you have questions.
>> Barry Raveendran Greene
>> Security Geek helping with OPSEC Trust
>> Mobile: +1 408 218 4669
>> E-mail: bgreene at senki.org
>> Resources on memcached Exploit (to evaluate your risk):
>> More information about this attack vector can be found at the following:
>> • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
>> • Qrator Labs: The memcached amplification attacks reaching 500
>> • Arbor Networks: memcached Reflection/Amplification Description
>> and DDoS Attack Mitigation Recommendations
>> • Cloudflare: Memcrashed – Major amplification attacks from UDP
>> port 11211
>> • Link11: New High-Volume Vector: Memcached Reflection
>> Amplification Attacks
>> • Blackhat Talk: The New Page of Injections Book: Memcached
>> Injections by Ivan Novikov
>> • Memcache Exploit
More information about the NANOG