New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

• Previous message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Next message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I won't comment on the sanity of doing so, but _many_ service providers use
EMTAs, ATAs, and other voice devices over RFC1918 space back to their core.

On Fri, Mar 2, 2018 at 4:11 PM, Mark Andrews <marka at isc.org> wrote:

> Are you insane. ISPs should never use RFC 1918 addresses for stuff that
> talks to their customers.  They have no way of knowing which addresses the
> customers are using.
>
> Traffic from RFC 1918 addresses should be dropped by any sane border
> router which all routers connecting to a ISP are.
>
> --
> Mark Andrews
>
> > On 2 Mar 2018, at 22:49, Bjørn Mork <bjorn at mork.no> wrote:
> >
> > Owen DeLong <owen at delong.com> writes:
> >
> >> I don’t agree that making RFC-1918 limitations a default in any daemon
> makes any
> >> sense whatsoever.
> >
> > +1
> >
> > One of the more annoying anti-features I know of in this regard is the
> > dnsmasq rebind "protection".  It claims to protect web browsers on the
> > LAN against DNS rebind attacks.  But the implementation does not
> > consider which adresses are used on the LAN at all.  It simply blocks
> > any A record pointing to an RFC1918 address, making a few bogus
> > assumptions:
> > - IPv4 LAN addresses are selected from RFC1918
> > - RFC1918 addresses are never used on the WAN side of a CPE
> > - Noone use IPv6 on their LAN
> >
> > It's hard to know how many users have been bitten by the first
> > one. You'd have to depend on this rebind "protection" in the first
> > place, and that would be.... stupid.
> >
> > But the second assumption regularily bites end users when their ISP
> > provides some ISP internal service using RFC1918 addresses.  Which of
> course
> > is fine.
> >
> > The anti-feature has been enabled by default in OpenWrt for a long time,
> > ref https://wiki.openwrt.org/doc/uci/dhcp#all_options , which means that
> > there is a large user base having this enabled without knowing.
> >
> >> First, there are plenty of LANs out there that don’t use RFC-1918.
> >>
> >> Second, RFC-1918 doesn’t apply to IPv6 at all,
> >
> > Could you try to explain that to the OpenWrt guys?  Thanks
> >
> >
> >
> > Bjørn
>
>

• Previous message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Next message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]