New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Grzegorz Janoszka Grzegorz at
Wed Feb 28 20:23:20 UTC 2018

On 2018-02-28 13:42, Denys Fedoryshchenko wrote:
> I want to add one software vendor, who is major contributor to ddos 
> attacks.
> Mikrotik till now shipping their quite popular routers, with wide open 
> DNS recursor,
> that don't have even mechanism for ACL in it. Significant part of DNS 
> amplification attacks
> are such Mikrotik recursors.
> They don't care till now.

I have mixed experiences with Mikrotik, but I don't think they would do 
such a stupid thing. A friend of my has three offices and each one has 
mikrotik to form tunnels and one domain for all the company.

He is not too IP savvy, so he copy-pasted the VPN config from internet 
and left the rest as it was. His routers are not open DNS resolvers.

When I asked them I got no reply and their logs showed:

_drop input: in:ether1 out:(unknown 0), src-mac 00:AB:CD:81:c2:71, proto 
UDP, AAA.47.138.134:9082->BBB.146.251.103:53, len 51

His settings showed the DNS server ON with all the queries for the local 
network and he actually had a toggle "allow remote queries" on, but his 
routers were not open resolvers.

Grzegorz Janoszka

More information about the NANOG mailing list