Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

The ones I know do so on private VLANs (or ATM circuits on DSL) so anyway unrelated to any client’s address space. Also, french triple play ISPs use RFC1918 space for IPTV but again isolated of any customer network so doesn’t really matter. > On 2 Mar 2018, at 22:18, K. Scott Helms

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

In article you write: >What can you do with ULA that GUA isn’t suitable for? I have a home network with two segments, one wired and one wireless. It has IPv6 addresses assigned by my ISP, Spectrum nee TWC, which probably won't change but who

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

They use separate service flows and layer 3 interfaces (usually) in DOCSIS networks but they often use the same DNS infrastructure which is why I piped up. Scott Helms On Mar 2, 2018 4:46 PM, "Michel 'ic' Luczak" wrote: The ones I know do so on private VLANs (or ATM

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

I won't comment on the sanity of doing so, but _many_ service providers use EMTAs, ATAs, and other voice devices over RFC1918 space back to their core. On Fri, Mar 2, 2018 at 4:11 PM, Mark Andrews wrote: > Are you insane. ISPs should never use RFC 1918 addresses for stuff that >

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Are you insane. ISPs should never use RFC 1918 addresses for stuff that talks to their customers. They have no way of knowing which addresses the customers are using. Traffic from RFC 1918 addresses should be dropped by any sane border router which all routers connecting to a ISP are. --

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Not sure if this is the common thought, but if anyone has a network which requires static IP assignments, they can probably justify a request for a /48 from an RIR. After all, ARIN's requirement for an end-user IPv6 block is, at minimum: "Justify why IPv6 addresses from an ISP or other LIR are

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On 03/01/2018 02:55 PM, Royce Williams wrote: pstream, until two days ago, the default was to listen on all interfaces. https://github.com/memcached/memcached/wiki/ReleaseNotes156 The package maintainers were (thankfully) injecting additional sanity. Yes, they did, in commit dbb7a8af. Here

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Testing on a recently-load VM of CentOS 7.3: [root@localhost odd]# netstat -tan | grep 11211 [root@localhost odd]# netstat -uan | grep 11211 [root@localhost odd]# yum install memcached [root@localhost odd]# systemctl start memcached.service [root@localhost odd]# netstat -tan | grep 11211 tcp

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 2, 2018, at 19:25, Bjørn Mork wrote: > > Owen DeLong writes: > >>> On Mar 2, 2018, at 3:17 AM, Bjørn Mork wrote: >>> >>> Owen DeLong writes: >>> What can you do with ULA that GUA isn’t suitable for? >>> >>> 1)

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Owen DeLong writes: >> On Mar 2, 2018, at 3:17 AM, Bjørn Mork wrote: >> >> Owen DeLong writes: >> >>> What can you do with ULA that GUA isn’t suitable for? >> >> 1) get >> 2) keep >> 3) move > > Wrong. > > 1) get > Easy as going to

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 2, 2018, at 3:17 AM, Bjørn Mork wrote: > > Owen DeLong writes: > >> What can you do with ULA that GUA isn’t suitable for? > > 1) get > 2) keep > 3) move Wrong. 1) get Easy as going to http://tunnelbroker.net and

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

For that matter, if we can kill IPv4, we have plenty of headroom for a LOT of IPv6 PI space. Owen > On Mar 1, 2018, at 4:48 PM, Matt Erculiani wrote: > > Not sure if this is the common thought, but if anyone has a network > which requires static IP assignments, they can

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 1, 2018, at 5:30 PM, Mark Andrews wrote: > > >> On 2 Mar 2018, at 11:48 am, Matt Erculiani wrote: >> >> Not sure if this is the common thought, but if anyone has a network >> which requires static IP assignments, they can probably justify a >>

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 1, 2018, at 6:30 PM, Harald Koch wrote: > > On 1 March 2018 at 18:48, Mark Andrews wrote: > >> ULA provide stable internal addresses which survive changing ISP >> for the average home user. > > > Yeah this is pretty much what I'm doing. ULA for

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Owen DeLong writes: > I don’t agree that making RFC-1918 limitations a default in any daemon makes > any > sense whatsoever. +1 One of the more annoying anti-features I know of in this regard is the dnsmasq rebind "protection". It claims to protect web browsers on the LAN

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 2, 2018, at 1:50 AM, Saku Ytti wrote: > > Enno et al ULA fans > > I could not agree more. > > Either you provide your enterprise customers transportable address or > ULA. If you assign and promote them to use your 'PA' address, they > will take your PA address with them

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Owen DeLong writes: > What can you do with ULA that GUA isn’t suitable for? 1) get 2) keep 3) move Granted, many of us can do that with GUAs too. But with ULA those features are avaible to everyone everywhere. Which is useful for a number of applications where you care

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Enno et al ULA fans I could not agree more. Either you provide your enterprise customers transportable address or ULA. If you assign and promote them to use your 'PA' address, they will take your PA address with them when they change operator 10 years from now, and if you reuse it, these two

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Hi, On Thu, Mar 01, 2018 at 09:30:32PM -0500, Harald Koch wrote: > On 1 March 2018 at 18:48, Mark Andrews wrote: > > > ULA provide stable internal addresses which survive changing ISP > > for the average home user. > > > Yeah this is pretty much what I'm doing. ULA for stable,

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

On 1 March 2018 at 18:48, Mark Andrews wrote: > ULA provide stable internal addresses which survive changing ISP > for the average home user. Yeah this is pretty much what I'm doing. ULA for stable, internal addresses that I can put into the (internal) DNS: ISP prefixes for

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On 2 Mar 2018, at 11:48 am, Matt Erculiani wrote: > > Not sure if this is the common thought, but if anyone has a network > which requires static IP assignments, they can probably justify a > request for a /48 from an RIR. After all, ARIN's requirement for an > end-user

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

hyperbole. sad and embarrassing to say, but it’s just another damned day of the internet security rolling disaster. there will be more. there will be worse. and screaming wolf will only make folk inured (excuse the american idiom). randy

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

The problem here is that you're not being shot in the foot, you're moving a semi full of ammo and parking it in front of my building. Collateral damage from other people being lazy with their servers is a pain. Oh, and this was used to set a new high water mark for 'Biggest DDoS' against github.

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

> The defaults for Zimbra seem to be to listen everywhere all the time. > amidst all the hysterical pontification, i am having trouble finding any > release which has, by default, a port 11211 listener on any interface. sorry, i should have said "any operating system release" yes, you can

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On 2 Mar 2018, at 9:28 am, Owen DeLong wrote: > > >> On Mar 1, 2018, at 1:20 PM, Harald Koch wrote: >> >> On 1 March 2018 at 15:18, Owen DeLong > > wrote: >> Second, RFC-1918 doesn’t apply to IPv6 at all, and

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Thu, Mar 1, 2018 at 1:38 PM, Randy Bush wrote: > > > this is sort of why openbsd listens only on 127.0.0.1/::1 by default, > > right? it's the only sane choice for 'fresh out of the box' network > > daemons: "Yes, it's running, yes I can healthcheck it locally to prove > > it's

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

;morrowc.li...@gmail.com> Cc: "North American Network Operators' Group" <nanog@nanog.org> Sent: Thursday, March 1, 2018 4:38:05 PM Subject: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks > this is sort of why openbsd l

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Thu, Mar 1, 2018 at 5:50 PM, Christopher Morrow wrote: > pre install of memcache on a (debianXXX) > $ cat /etc/debian_version 9.3 (cut/paste fail before click-submit) > Abort. > morrowc@build:~$ netstat -anA inet | grep LIST > tcp0 0 192.110.255.61:53

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

pre install of memcache on a (debianXXX) Abort. morrowc@build:~$ netstat -anA inet | grep LIST tcp0 0 192.110.255.61:53 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

> this is sort of why openbsd listens only on 127.0.0.1/::1 by default, > right? it's the only sane choice for 'fresh out of the box' network > daemons: "Yes, it's running, yes I can healthcheck it locally to prove > it's running" amidst all the hysterical pontification, i am having trouble

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 1, 2018, at 1:20 PM, Harald Koch wrote: > > On 1 March 2018 at 15:18, Owen DeLong > wrote: > Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly anyone > uses ULA (the IPv6 analogue to RFC-1918). > > Wait.

IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

On 1 March 2018 at 15:18, Owen DeLong wrote: > Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly > anyone > uses ULA (the IPv6 analogue to RFC-1918). > Wait. What's the objection to ULA? Is it just that NAT is bad, or is there something new? -- Harald

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Thu, Mar 1, 2018 at 3:18 PM, Owen DeLong wrote: > I don’t agree that making RFC-1918 limitations a default in any daemon > makes any > sense whatsoever. > > First, there are plenty of LANs out there that don’t use RFC-1918. > > Second, RFC-1918 doesn’t apply to IPv6 at all,

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

I don’t agree that making RFC-1918 limitations a default in any daemon makes any sense whatsoever. First, there are plenty of LANs out there that don’t use RFC-1918. Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly anyone uses ULA (the IPv6 analogue to RFC-1918). I do

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On the other side: VM/VPS providers have a template based image that they use for every type and subtype of operating system it's possible to auto-provision. For example Ubuntu Server Xenial AMD64 or Debian Jessie or Stretch AMD64. It's important that VM/VPS providers don't push fresh images that

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Wed, Feb 28, 2018 at 5:54 PM Job Snijders wrote: > On Tue, Feb 27, 2018 at 09:52:54PM +, Chip Marshall wrote: > > On 2018-02-27, Ca By sent: > > > Please do take a look at the cloudflare blog specifically as they > > > name and shame OVH and Digital

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Tue, Feb 27, 2018 at 09:52:54PM +, Chip Marshall wrote: > On 2018-02-27, Ca By sent: > > Please do take a look at the cloudflare blog specifically as they > > name and shame OVH and Digital Ocean for being the primary sources > > of mega crap traffic > > > >

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

ebruary 28, 2018 6:42:37 AM Subject: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks I want to add one software vendor, who is major contributor to ddos attacks. Mikrotik till now shipping their quite popular routers, with wide open DNS r

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On 2018-02-28 13:42, Denys Fedoryshchenko wrote: I want to add one software vendor, who is major contributor to ddos attacks. Mikrotik till now shipping their quite popular routers, with wide open DNS recursor, that don't have even mechanism for ACL in it. Significant part of DNS amplification

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

I want to add one software vendor, who is major contributor to ddos attacks. Mikrotik till now shipping their quite popular routers, with wide open DNS recursor, that don't have even mechanism for ACL in it. Significant part of DNS amplification attacks are such Mikrotik recursors. They don't

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Dear all, Before the group takes on the pitchforks and torches and travels down to the hosting providers' headquarters - let's take a step back and look at the root of this issue: the memcached software has failed both the Internet community and its own memcached users. It is INSANE that

Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

It seems to me that since peer pressure hasn't worked, it's time to resort to legal means. Have a talk with your own organization's lawyers, explain to them how much time and money those folks are costing your organization, and see if there isn't something you can do in the way of billing for the

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

I ran a full scan of the internet with zmap to find vulnerable memcached servers from an AWS server. AWS received an abuse report and forwarded it to me. I deleted the VM and the case was close... LOL OVH Is not dumb. Do you know how easy it is to deploy a VM today with all the automated

Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Wed, Feb 28, 2018 at 12:29:54AM +, Filip Hruska wrote: > OVH is one of the largest server providers in the world - of course they will > be at the top of that list. Of course not. The larger an operation, the greater its responsibility to the rest of the Internet -- because the more

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Tue, Feb 27, 2018 at 04:13:23PM -0800, Dan Hollis wrote: > OVH does not suprise me in the least. > > Maybe this is finally what it will take to get people to de-peer them. Let's hope so. There are two, and only two possibilities. 1. They know what's going on in their operation. In that

Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Wed, 28 Feb 2018, Filip Hruska wrote: What exactly should they do, according to you? read and act on abuse reports. Why should people de-peer them? because they ignore abuse reports. -Dan

Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Tue, Feb 27, 2018 at 4:29 PM Filip Hruska wrote: > This is just stupid. > > OVH is one of the largest server providers in the world - of course they > will be at the top of that list. > What exactly should they do, according to you? > They should have rough norms enforced on

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

> On Feb 27, 2018, at 4:29 PM, Filip Hruska wrote: > > > > This is just stupid. > > > > OVH is one of the largest server providers in the world - of course they will > be at the top of that list. > > What exactly should they do, according to you? Read their abuse@

Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

This is just stupid. OVH is one of the largest server providers in the world - of course they will be at the top of that list. What exactly should they do, according to you? Why should people de-peer them? Regards, Filip Hruska > > On

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

OVH does not suprise me in the least. Maybe this is finally what it will take to get people to de-peer them. -Dan On Tue, 27 Feb 2018, Ca By wrote: Please do take a look at the cloudflare blog specifically as they name and shame OVH and Digital Ocean for being the primary sources of mega

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On 28 Feb 2018, at 5:26, Ca By wrote: Just udp. This Arbor Threat Summary discusses the TCP issue, as well, FWIW: 'It should also be noted that memcached

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Thanks Chip! Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Tue, Feb 27, 2018 at 1:52 PM, Chip Marshall wrote: > On 2018-02-27, Ca By sent: >> Please do take a look at the

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Tue, Feb 27, 2018 at 1:54 PM Chip Marshall wrote: > On 2018-02-27, Ca By sent: > > Please do take a look at the cloudflare blog specifically as they name > and > > shame OVH and Digital Ocean for being the primary sources of mega crap > > traffic > >

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On 2018-02-27, Ca By sent: > Please do take a look at the cloudflare blog specifically as they name and > shame OVH and Digital Ocean for being the primary sources of mega crap > traffic > > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ >

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

> On Feb 27, 2018, at 1:16 PM, Eric Kuhnke wrote: > > I question whether there is *any* high volume hoster out there that has a > reputation for successfully addressing abuse issues coming from their > customer base, and cuts off services... By high volume hoster I

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

I question whether there is *any* high volume hoster out there that has a reputation for successfully addressing abuse issues coming from their customer base, and cuts off services... By high volume hoster I define it as companies where anybody with a credit card can buy a $2 to $15/month VPS/VM

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Please do take a look at the cloudflare blog specifically as they name and shame OVH and Digital Ocean for being the primary sources of mega crap traffic https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ Also, policer all UDP all the time... UDP is unsafe at any