Send sanog mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sanog.org/mailman/listinfo/sanog
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sanog digest..."
Today's Topics:
1. UPDATE: Re: New Active Exploit: memcached on port 11211 UDP &
TCP being exploited for reflection attacks (Barry Greene)
2. New Active Exploit: memcached on port 11211 UDP & TCP being
exploited for reflection attacks (Barry Greene)
----------------------------------------------------------------------
Message: 1
Date: Wed, 28 Feb 2018 22:37:45 -0500
From: Barry Greene <[email protected]>
To: [email protected]
Subject: [SANOG] UPDATE: Re: New Active Exploit: memcached on port
11211 UDP & TCP being exploited for reflection attacks
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
UPDATE: As of 2018-02-28, more attacks using the memcached reflection vector
have been unleashed on the Internet. Operators are asked to port filter
(Exploitable Port Filters), rate limits the port 11211 UDP traffic (ingress and
egress), and clean up any memcached exposed to the Internet (iptables on UNIX
works). These mitigations should be on IPv4 and IPv6! There is not excuse for
ISPs, Telcos, and other operators for not acting. NTT is an example of action.
As stated by Job Snijders <[email protected] <mailto:[email protected]>> on the NANOG
List:
?NTT too has deployed rate limiters on all external facing interfaces on the
GIN backbone ? for UDP/11211 traffic ? to dampen the negative impact of open
memcached instances on peers and customers.
The toxic combination of ?one spoofed packet can yield multiple reponse
packets? and ?one small packet can yield a very big response? makes the
memcached UDP protocol a fine example of double trouble with potential for
severe operational impact.?
This post has been updated with recommendations. Check with your network
vendors for deployment/configuration details.
http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/
<http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/>
> On Feb 27, 2018, at 3:20 PM, Barry Greene <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello Fellow SANOG Colleagues,
>
> We (various Operator Security Community) are working to head off another
> reflection DOS vector.
>
> All Operators and Enterprise Networks ? memcached on port 11211 UDP & TCP
> being exploited. This is now new. We know how reflection attacks work (send a
> spoofed packet to a device and have it reflected back (see illustration).
>
> Operators are asked to review their networks and consider updating their
> Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port
> 11211 for all ingress and egress traffic. This white paper provides details
> on Exploitable Port Filters:
> http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/
>
> <http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/>
>
> Enterprises are also asked to update their iACLs, Exploitable Port Filters,
> and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress
> traffic.
>
> Deploying these filters will help protect your network, your organization,
> your customers, and the Internet.
>
> Ping me 1:1 if you have questions.
>
> Sincerely,
>
> --
> Barry Raveendran Greene
> Security Geek helping with OPSEC Trust
> Mobile: +1 408 218 4669
> E-mail: [email protected] <mailto:[email protected]>
>
> ----------------------------
> Resources on memcached Exploit (to evaluate your risk):
>
> More information about this attack vector can be found at the following:
>
> ? JPCERT ? memcached ??????????????? (JPCERT-AT-2018-0009)
> http://www.jpcert.or.jp/at/2018/at180009.html
> <http://www.jpcert.or.jp/at/2018/at180009.html>
> ? Qrator Labs: The memcached amplification attacks reaching 500 Gbps
> https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
>
> <https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98>
> ? Arbor Networks: memcached Reflection/Amplification Description and
> DDoS Attack Mitigation Recommendations
> https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
>
> <https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/>
> ? Cloudflare: Memcrashed ? Major amplification attacks from UDP port
> 11211
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
> ? Link11: New High-Volume Vector: Memcached Reflection Amplification
> Attacks
> https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
> ? Blackhat Talk: The New Page of Injections Book: Memcached Injections
> by Ivan Novikov
> https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
> ? Memcache Exploit
> http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20180228/a2f75695/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20180228/a2f75695/attachment-0001.bin>
------------------------------
Message: 2
Date: Tue, 27 Feb 2018 22:44:33 -0500
From: Barry Greene <[email protected]>
Subject: [SANOG] New Active Exploit: memcached on port 11211 UDP & TCP
being exploited for reflection attacks
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
The posting is sent to APOPS, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG, TZNOG,
MENOG, SDNOG, LACNOG, IRNOG, MYNOG, SGOPS, and the RIPE Routing WG.
If you have not already seen it, experiences it, or read about it, working to
head off another reflection DOS vector. This time it is memcached on port 11211
UDP & TCP. There are active exploits using these ports. The attacks started in
Europe over the last couple of days.
* We?re doing an Operator notification to get more to deploy Exploitable Port
Filters (iACLs). Please let me know 1:1 if your team blogs about this (I?ll add
to the resource list).
* Operators are asked to review their networks and consider updating their
Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port
11211 for all ingress and egress traffic. If you do not know about iACLs or
Explorable port filters, you can use this white paper details and examples from
peers on Exploitable Port Filters:
http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/
<http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/>
* Enterprises are also asked to update their iACLs, Exploitable Port Filters,
and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress
traffic.
Deploying these filters will help protect your network, your organization, your
customers, and the Internet.
Ping me 1:1 if you have questions. I?m doing updates here:
http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/
<http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/>.
Sincerely,
--
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: [email protected] <mailto:[email protected]>
----------------------------
Resources on memcached Exploit (to evaluate your risk):
More information about this attack vector can be found at the following:
? JPCERT ? memcached ??????????????? (JPCERT-AT-2018-0009)
http://www.jpcert.or.jp/at/2018/at180009.html
<http://www.jpcert.or.jp/at/2018/at180009.html>
? Qrator Labs: The memcached amplification attacks reaching 500 Gbps
https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
<https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98>
? Rapid 7: The Flip Side of memcrashed
https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/
<https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/>
? Akamai: Memcached UDP Reflection Attacks
https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html
<https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html>
? Arbor Networks: memcached Reflection/Amplification Description and DDoS
Attack Mitigation Recommendations
https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
<https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/>
? Cloudflare: Memcrashed ? Major amplification attacks from UDP port 11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>
? Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks
https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
<https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/>
? Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan
Novikov
https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
<https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf>
? Memcache Exploit
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
<http://niiconsulting.com/checkmate/2013/05/memcache-exploit/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20180227/90eda12e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20180227/90eda12e/attachment.bin>
------------------------------
Subject: Digest Footer
_______________________________________________
sanog mailing list
[email protected]
https://lists.sanog.org/mailman/listinfo/sanog
------------------------------
End of sanog Digest, Vol 74, Issue 1
************************************
