[lacnog] UPDATE: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Barry Greene bgreene en senki.org
Jue Mar 1 00:38:40 BRT 2018


UPDATE: As of 2018-02-28, more attacks using the memcached reflection vector have been unleashed on the Internet. Operators are asked to port filter (Exploitable Port Filters), rate limits the port 11211 UDP traffic (ingress and egress), and clean up any memcached exposed to the Internet (iptables on UNIX works).  These mitigations should be on IPv4 and IPv6! There is not excuse for ISPs, Telcos, and other operators for not acting. NTT is an example of action. As stated by Job Snijders <job en ntt.net <mailto:job en ntt.net>> on the NANOG List:

“NTT too has deployed rate limiters on all external facing interfaces on the GIN backbone – for UDP/11211 traffic – to dampen the negative impact of open memcached instances on peers and customers.

The toxic combination of ‘one spoofed packet can yield multiple reponse packets’ and ‘one small packet can yield a very big response’ makes the
memcached UDP protocol a fine example of double trouble with potential for severe operational impact.”

This post has been updated with recommendations. Check with your network vendors for deployment/configuration details.

http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/ <http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/>




> On Feb 27, 2018, at 3:20 PM, Barry Greene <bgreene en senki.org <mailto:bgreene en senki.org>> wrote:
> 
> Hello Fellow LATNOG Colleagues,
> 
> We (various Operator Security Community) are working to head off another reflection DOS vector.
> 
> All Operators and Enterprise Networks – memcached on port 11211 UDP & TCP being exploited. This is now new. We know how reflection attacks work (send a spoofed packet to a device and have it reflected back (see illustration).
> 
> Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. This white paper provides details on Exploitable Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/ <http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/>
> 
> Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.
> 
> Deploying these filters will help protect your network, your organization, your customers, and the Internet.
> 
> Ping me 1:1 if you have questions.
> 
> Sincerely,
> 
> --
> Barry Raveendran Greene
> Security Geek helping with OPSEC Trust
> Mobile: +1 408 218 4669
> E-mail: bgreene en senki.org <mailto:bgreene en senki.org>
> 
> ----------------------------
> Resources on memcached Exploit (to evaluate your risk):
> 
> More information about this attack vector can be found at the following:
> 
> 	• JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
> http://www.jpcert.or.jp/at/2018/at180009.html <http://www.jpcert.or.jp/at/2018/at180009.html>
> 	• Qrator Labs: The memcached amplification attacks reaching 500 Gbps
> https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98 <https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98>
> 	• Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations
> https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ <https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/>
> 	• Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ <https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>
> 	• Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks
> https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/ <https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/>
> 	• Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov
> https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
> 	• Memcache Exploit
> http://niiconsulting.com/checkmate/2013/05/memcache-exploit/

------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180228/345a5e54/attachment.html>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180228/345a5e54/attachment.sig>


Más información sobre la lista de distribución LACNOG