sanog Digest, Vol 74, Issue 2

[sanog-request]

Send sanog mailing list submissions to
        sanog@sanog.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sanog.org/mailman/listinfo/sanog
or, via email, send a message with subject or body 'help' to
        sanog-requ...@sanog.org

You can reach the person managing the list at
        sanog-ow...@sanog.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sanog digest..."


Today's Topics:

   1. Update: New Active Exploit: memcached on port 11211 UDP & TCP
      being exploited for reflection attacks (Barry Greene)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Feb 2018 22:28:56 -0500
From: Barry Greene <bgre...@senki.org>
To: routing...@ripe.net, "Afnog@Afnog. Org" <af...@afnog.org>,
        sanog@sanog.org, pac...@pacnog.org, saf...@safnog.org,
        tz...@tznog.or.tz, me...@menog.org, bjsa...@googlegroups.com,
        sd...@sdnog.sd, cm...@lists.cmnog.cm, gene...@lists.irnog.com,
        lac...@lacnic.net, my...@list.mynog.org, sg...@list.sgnog.net, AP
        Organizations <ap...@apnic.net>, carib...@lists.caribnog.org,
        tr...@trnog.org
Subject: [SANOG] Update: New Active Exploit: memcached on port 11211
        UDP & TCP being exploited for reflection attacks
Message-ID: <7a423f00-bf7d-4355-9c72-b06727112...@senki.org>
Content-Type: text/plain; charset="utf-8"

[The posting is sent to APOPS, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG, TZNOG, 
MENOG, SDNOG, LACNOG, IRNOG, MYNOG, SGOPS, and the RIPE Routing WG.]

UPDATE: As of 2018-02-28, more attacks using the memcached reflection vector 
have been unleashed on the Internet. Operators are asked to port filter 
(Exploitable Port Filters), rate limits the port 11211 UDP traffic (ingress and 
egress), and clean up any memcached exposed to the Internet (iptables on UNIX 
works).  These mitigations should be on IPv4 and IPv6! There is not excuse for 
ISPs, Telcos, and other operators for not acting. NTT is an example of action. 
As stated by Job Snijders <j...@ntt.net <mailto:j...@ntt.net>> on the NANOG 
List:

?NTT too has deployed rate limiters on all external facing interfaces on the 
GIN backbone ? for UDP/11211 traffic ? to dampen the negative impact of open 
memcached instances on peers and customers.

The toxic combination of ?one spoofed packet can yield multiple reponse 
packets? and ?one small packet can yield a very big response? makes the
memcached UDP protocol a fine example of double trouble with potential for 
severe operational impact.?

This post has been updated with recommendations. Check with your network 
vendors for deployment/configuration details.

http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/ 
<http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/>

----------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<https://lists.sanog.org/pipermail/sanog/attachments/20180228/2d0cac6a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: 
<https://lists.sanog.org/pipermail/sanog/attachments/20180228/2d0cac6a/attachment-0001.bin>

------------------------------

Subject: Digest Footer

_______________________________________________
sanog mailing list
sanog@sanog.org
https://lists.sanog.org/mailman/listinfo/sanog


------------------------------

End of sanog Digest, Vol 74, Issue 2
************************************