New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

• Previous message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Next message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 27, 2018 at 4:29 PM Filip Hruska <fhr at fhrnet.eu> wrote:

> This is just stupid.
>
> OVH is one of the largest server providers in the world - of course they
> will be at the top of that list.
> What exactly should they do, according to you?
>

They should have rough norms enforced on their traffic behavior ,
especially around udp. If they do 1tbs of udp, they should police to 3tbs
or something similar.

Why should people de-peer them?
>

Abuse.  But abuse happens, failure to fix chronic is a reason to depeer...
not one off. Personally, i do not peer with ovh because i need my upstream
to rtbh their traffic.



> Regards,
> Filip Hruska
>
> On 28 Feb 2018 at 1:13 am, <Dan Hollis <goemon at sasami.anime.net>> wrote:
>
> OVH does not suprise me in the least.
>
> Maybe this is finally what it will take to get people to de-peer them.
>
> -Dan
>
> On Tue, 27 Feb 2018, Ca By wrote:
>
> > Please do take a look at the cloudflare blog specifically as they name and
> > shame OVH and Digital Ocean for being the primary sources of mega crap
> > traffic
> >
> > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
> >
> > Also, policer all UDP all the time... UDP is unsafe at any speed.
> >
> >
> > On Tue, Feb 27, 2018 at 12:28 PM Barry Greene  wrote:
> >
> >> Hello Fellow NANOGer,
> >>
> >> If you have not already seen it, experiences it, or read about it, working
> >> to head off another reflection DOS vector. This time it is memcached on
> >> port 11211 UDP & TCP. There are active exploits using these ports.
> >> Reflection attacks and the memcached is not new. We know how reflection
> >> attacks work (send a spoofed packet to a device and have it reflected  back
> >> (yes please deploy source address validation and BCP 38).
> >>
> >> Operators are asked to review their networks and consider updating their
> >> Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP
> >> port 11211 for all ingress and egress traffic. If you do not know about
> >> iACLs or Explorable port filters, you can use this white paper details and
> >> examples from peers on Exploitable Port Filters:
> >> http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/
>
> >>
> >> Enterprises are also asked to update their iACLs, Exploitable Port
> >> Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress
> >> and egress traffic.
> >>
> >> Deploying these filters will help protect your network, your organization,
> >> your customers, and the Internet.
> >>
> >> Ping me 1:1 if you have questions.
> >>
> >> Sincerely,
> >>
> >> --
> >> Barry Raveendran Greene
> >> Security Geek helping with OPSEC Trust
> >> Mobile: +1 408 218 4669
> >> E-mail: bgreene at senki.org
> >>
> >> ----------------------------
> >> Resources on memcached Exploit (to evaluate your risk):
> >>
> >> More information about this attack vector can be found at the following:
> >>
> >>         • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
> >> http://www.jpcert.or.jp/at/2018/at180009.html
> >>         • Qrator Labs: The memcached amplification attacks reaching 500
> >> Gbps
> >>
> >> https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
> >>         • Arbor Networks: memcached Reflection/Amplification Description
> >> and DDoS Attack Mitigation Recommendations
> >>
> >> https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
> >>         • Cloudflare: Memcrashed – Major amplification attacks from UDP
> >> port 11211
> >>
> >> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
> >>         • Link11: New High-Volume Vector: Memcached Reflection
> >> Amplification Attacks
> >>
> >> https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
> >>         • Blackhat Talk: The New Page of Injections Book: Memcached
> >> Injections by Ivan Novikov
> >>
> >> https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
> >>         • Memcache Exploit
> >> http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
> >>
> >
>
>
>

• Previous message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Next message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]