New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
Grzegorz Janoszka
Grzegorz at Janoszka.pl
Wed Feb 28 20:23:20 UTC 2018
On 2018-02-28 13:42, Denys Fedoryshchenko wrote:
> I want to add one software vendor, who is major contributor to ddos
> attacks.
> Mikrotik till now shipping their quite popular routers, with wide open
> DNS recursor,
> that don't have even mechanism for ACL in it. Significant part of DNS
> amplification attacks
> are such Mikrotik recursors.
> They don't care till now.
I have mixed experiences with Mikrotik, but I don't think they would do
such a stupid thing. A friend of my has three offices and each one has
mikrotik to form tunnels and one domain for all the company.
He is not too IP savvy, so he copy-pasted the VPN config from internet
and left the rest as it was. His routers are not open DNS resolvers.
When I asked them I got no reply and their logs showed:
_drop input: in:ether1 out:(unknown 0), src-mac 00:AB:CD:81:c2:71, proto
UDP, AAA.47.138.134:9082->BBB.146.251.103:53, len 51
His settings showed the DNS server ON with all the queries for the local
network and he actually had a toggle "allow remote queries" on, but his
routers were not open resolvers.
--
Grzegorz Janoszka
More information about the NANOG
mailing list