I question whether there is *any* high volume hoster out there that has a reputation for successfully addressing abuse issues coming from their customer base, and cuts off services... By high volume hoster I define it as companies where anybody with a credit card can buy a $2 to $15/month VPS/VM in a fully automated process.
OVH just happens to be one of the largest and probably ranks in the top 10 worldwide by number of hypervisors and VPS. I doubt whether any of their 30-40 competitors that are smaller than them do much better, considering the ratio of clued and attentive staff to VMs. On Tue, Feb 27, 2018 at 12:47 PM, Ca By <cb.li...@gmail.com> wrote: > Please do take a look at the cloudflare blog specifically as they name and > shame OVH and Digital Ocean for being the primary sources of mega crap > traffic > > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from- > port-11211/ > > Also, policer all UDP all the time... UDP is unsafe at any speed. > > > On Tue, Feb 27, 2018 at 12:28 PM Barry Greene <bgre...@senki.org> wrote: > > > Hello Fellow NANOGer, > > > > If you have not already seen it, experiences it, or read about it, > working > > to head off another reflection DOS vector. This time it is memcached on > > port 11211 UDP & TCP. There are active exploits using these ports. > > Reflection attacks and the memcached is not new. We know how reflection > > attacks work (send a spoofed packet to a device and have it reflected > back > > (yes please deploy source address validation and BCP 38). > > > > Operators are asked to review their networks and consider updating their > > Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP > > port 11211 for all ingress and egress traffic. If you do not know about > > iACLs or Explorable port filters, you can use this white paper details > and > > examples from peers on Exploitable Port Filters: > > http://www.senki.org/operators-security-toolkit/ > filtering-exploitable-ports-and-minimizing-risk-to-and- > from-your-customers/ > > > > Enterprises are also asked to update their iACLs, Exploitable Port > > Filters, and Firewalls to track or block UDP/TCP port 11211 for all > ingress > > and egress traffic. > > > > Deploying these filters will help protect your network, your > organization, > > your customers, and the Internet. > > > > Ping me 1:1 if you have questions. > > > > Sincerely, > > > > -- > > Barry Raveendran Greene > > Security Geek helping with OPSEC Trust > > Mobile: +1 408 218 4669 > > E-mail: bgre...@senki.org > > > > ---------------------------- > > Resources on memcached Exploit (to evaluate your risk): > > > > More information about this attack vector can be found at the following: > > > > • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009) > > http://www.jpcert.or.jp/at/2018/at180009.html > > • Qrator Labs: The memcached amplification attacks reaching 500 > > Gbps > > > > https://medium.com/@qratorlabs/the-memcached- > amplification-attack-reaching-500-gbps-b439a7b83c98 > > • Arbor Networks: memcached Reflection/Amplification Description > > and DDoS Attack Mitigation Recommendations > > > > https://www.arbornetworks.com/blog/asert/memcached- > reflection-amplification-description-ddos-attack- > mitigation-recommendations/ > > • Cloudflare: Memcrashed – Major amplification attacks from UDP > > port 11211 > > > > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from- > port-11211/ > > • Link11: New High-Volume Vector: Memcached Reflection > > Amplification Attacks > > > > https://www.link11.com/en/blog/new-high-volume-vector- > memcached-reflection-amplification-attacks/ > > • Blackhat Talk: The New Page of Injections Book: Memcached > > Injections by Ivan Novikov > > > > https://www.blackhat.com/docs/us-14/materials/us-14-Novikov- > The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf > > • Memcache Exploit > > http://niiconsulting.com/checkmate/2013/05/memcache-exploit/ > > >