This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
- Previous message (by thread): [routing-wg] Implementation of NWI-5 out of region ROUTE(6) objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Barry Greene
bgreene at senki.org
Wed Feb 28 04:44:33 CET 2018
The posting is sent to APOPS, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG, TZNOG, MENOG, SDNOG, LACNOG, IRNOG, MYNOG, SGOPS, and the RIPE Routing WG. If you have not already seen it, experiences it, or read about it, working to head off another reflection DOS vector. This time it is memcached on port 11211 UDP & TCP. There are active exploits using these ports. The attacks started in Europe over the last couple of days. * We’re doing an Operator notification to get more to deploy Exploitable Port Filters (iACLs). Please let me know 1:1 if your team blogs about this (I’ll add to the resource list). * Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. If you do not know about iACLs or Explorable port filters, you can use this white paper details and examples from peers on Exploitable Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/ <http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/> * Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic. Deploying these filters will help protect your network, your organization, your customers, and the Internet. Ping me 1:1 if you have questions. I’m doing updates here: http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/ <http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/>. Sincerely, -- Barry Raveendran Greene Security Geek helping with OPSEC Trust Mobile: +1 408 218 4669 E-mail: bgreene at senki.org <mailto:bgreene at senki.org> ---------------------------- Resources on memcached Exploit (to evaluate your risk): More information about this attack vector can be found at the following: • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009) http://www.jpcert.or.jp/at/2018/at180009.html <http://www.jpcert.or.jp/at/2018/at180009.html> • Qrator Labs: The memcached amplification attacks reaching 500 Gbps https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98 <https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98> • Rapid 7: The Flip Side of memcrashed https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/ <https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/> • Akamai: Memcached UDP Reflection Attacks https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html <https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html> • Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ <https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/> • Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211 https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ <https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/> • Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/ <https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/> • Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf <https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf> • Memcache Exploit http://niiconsulting.com/checkmate/2013/05/memcache-exploit/ <http://niiconsulting.com/checkmate/2013/05/memcache-exploit/> -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/routing-wg/attachments/20180227/90eda12e/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: Message signed with OpenPGP URL: </ripe/mail/archives/routing-wg/attachments/20180227/90eda12e/attachment.sig>
- Previous message (by thread): [routing-wg] Implementation of NWI-5 out of region ROUTE(6) objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]