New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
cheetahmorph at gmail.com
Fri Mar 2 00:43:26 UTC 2018
The problem here is that you're not being shot in the foot, you're moving a
semi full of ammo and parking it in front of my building. Collateral damage
from other people being lazy with their servers is a pain.
Oh, and this was used to set a new high water mark for 'Biggest DDoS'
against github. 1.5 Tbps. So, its a pretty big deal. And that ignoring the
additional vulnurability from just getting everything useful out of the
memcached server, or continuously clearing the server to damage performance
of the app relying on it.
If your gun's default aiming position is at your foot, then there's a good
argument to change the default. It doesn't solve the problem, but it helps.
On Thu, Mar 1, 2018 at 3:51 PM, Randy Bush <randy at psg.com> wrote:
> > The defaults for Zimbra seem to be to listen everywhere all the time.
> > amidst all the hysterical pontification, i am having trouble finding any
> > release which has, by default, a port 11211 listener on any interface.
> sorry, i should have said "any operating system release"
> yes, you can install memcached
> yes, you can install some j random container which has memcached
> yes, you can shoot yourself in the foot; welcome to the internet
> my point was merely that the hysteria and grandstanding can cost a lot
> of ops a bunch of time. and folk should be aware that normal, simple,
> vanilla environments will not be a source of reflection.
> of course, they might be a target :)
More information about the NANOG