We started seeing big memcached attacks on Friday 2/23 and sending out tailored abuse emails directly to reflectors late Saturday night (2/24). For us, attack sizes peaked on Sunday/Monday, and the last couple of days have involved much smaller attacks. Today's memcached attacks have been the smallest of all.

Their shrinking size is likely for a number of reasons:

- Hosts and transit providers increasingly filtering or limiting UDP 11211 internally and at their edges - Admins reading forwarded abuse notifications and fixing their daemons (we recorded only about 1600 reflectors used for the biggest attacks, and many were sending a full Gbps of traffic, so individual admin actions can have a big impact) - More attackers learning of the vector and launching their own attacks, causing each remaining reflector to split its traffic between more targets at once

Attackers will be constantly scanning the IPv4 space looking for new high-powered reflectors, but they were using the best ones they could find at the beginning, and any newly-launched instances will be carved up quickly.

The nature of these reasons mean that I'm less pessimistic than others about the attack sizes increasing further. But, the sheer number of attacks, and number of targets involved, will definitely increase.

If you're someone directly seeing attacks, please consider contacting the top talkers sending you attack traffic! I have been surprised at the number of admins who have gotten back to me this week and expressed that ours was the only notification they have received.

-John

On 3/2/2018 8:56 AM, Brandon Gould via Outages wrote:

Possibly related to all the outages reports this morning, I’m seeing packetloss and outages at 3 top-tier hosting facilities run by 3 separate companies; 2 on the eastern coast, 1 on the west.

All 3 are blaming it on memcached amplification mitigation.

Buckle up, boys! (and girls)



_______________________________________________
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

_______________________________________________
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Reply via email to