<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class=""><p style="box-sizing: inherit; border: 0px; font-family: Lato, sans-serif; font-size: 15px; margin: 0px 0px 1.5em; outline: 0px; padding: 0px; vertical-align: baseline; color: rgb(88, 88, 90); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class="">UPDATE: As of 2018-02-28, more attack using the </strong>memcached<strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class=""> reflection vector have been unleashed on the Internet. Operators are asked to port filter (Exploitable Port Filters), rate </strong>limits<strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class=""> the port 11211 UDP traffic (ingress and egress), and clean up any </strong>memcached<strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class=""> exposed to the Internet (</strong>iptables<strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class=""> on UNIX works).  These mitigations should be on IPv4 and IPv6! There is not excuse for ISPs, Telcos, and other operators for not acting. NTT is an example of action. As stated by Job Snijders <<a href="mailto:job@ntt.net" class="">job@ntt.net</a>> on the NANOG List:</strong></p><blockquote style="box-sizing: inherit; border: 0px; font-family: Lato, sans-serif; font-size: 15px; margin: 0px 1.5em 0px 0px; outline: 0px; padding: 0px 0px 0px 3.5em; vertical-align: baseline; quotes: '' ''; background-image: url(applewebdata://34C49381-1647-44BC-8C02-43CACDFCC6B7/library/images/quote.png); background-color: rgb(255, 255, 255); color: rgb(88, 88, 90); font-variant-ligatures: normal; orphans: 2; widows: 2; background-position: left top; background-repeat: no-repeat no-repeat;" class=""><p style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px 0px 1.5em; outline: 0px; padding: 0px; vertical-align: baseline;" class=""><strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class="">“NTT too has deployed rate limiters on all external facing interfaces on the GIN backbone – for UDP/11211 traffic – to dampen the negative impact of open memcached instances on peers and customers.</strong></p><p style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px 0px 1.5em; outline: 0px; padding: 0px; vertical-align: baseline;" class=""><strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class="">The toxic combination of ‘one spoofed packet can yield multiple reponse packets’ and ‘one small packet can yield a very big response’ makes the</strong><br style="box-sizing: inherit;" class=""><strong style="box-sizing: inherit; border: 0px; font-family: inherit; font-style: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;" class="">memcached UDP protocol a fine example of double trouble with potential for severe operational impact.”</strong></p></blockquote></div><div class="">This post has been updated with recommendations. Check with your network vendors for deployment/configuration details.</div><div class=""><br class=""></div><div class=""><a href="http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/" class="">http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/</a></div></div><div class=""><br class=""></div><br class=""><div style=""><blockquote type="cite" class=""><div class="">On Feb 27, 2018, at 3:49 PM, Barry Greene <<a href="mailto:bgreene@senki.org" class="">bgreene@senki.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi AUSNOG Team,<br class=""><br class="">If you have not already seen it, experiences it, or read about it, working to head off another reflection DOS vector. This time it is memcached on port 11211 UDP & TCP. There are active exploits using these ports. The attacks started in Europe over the last couple of days. </div><div class=""><br class=""></div><div class="">* We’re doing an Operator notification to get more to deploy Exploitable Port Filters (iACLs). Please let me know 1:1 if your team blogs about this (I’ll add to the resource list).<br class=""><br class="">* Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. If you do not know about iACLs or Explorable port filters, you can use this white paper details and examples from peers on Exploitable Port Filters: <a href="http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/" class="">http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/</a><br class=""><br class="">* Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.<br class=""><br class="">Deploying these filters will help protect your network, your organization, your customers, and the Internet.<br class=""><br class="">Ping me 1:1 if you have questions. I’m doing updates here: <a href="http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/" class="">http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/</a>.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Sincerely,<br class=""><br class="">--<br class="">Barry Raveendran Greene<br class="">Security Geek helping with OPSEC Trust<br class="">Mobile: +1 408 218 4669<br class="">E-mail: <a href="mailto:bgreene@senki.org" class="">bgreene@senki.org</a><br class=""><br class="">----------------------------<br class="">Resources on memcached Exploit (to evaluate your risk):<br class=""><br class="">More information about this attack vector can be found at the following:<br class=""><br class="">• JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)<br class=""><a href="http://www.jpcert.or.jp/at/2018/at180009.html" class="">http://www.jpcert.or.jp/at/2018/at180009.html</a><br class=""><br class=""></div><div class="">• Qrator Labs: The memcached amplification attacks reaching 500 Gbps<br class=""><a href="https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98" class="">https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98</a><br class=""><br class=""></div><div class="">• Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations<br class=""><a href="https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/" class="">https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/</a><br class=""><br class=""></div><div class="">• Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211<br class=""><a href="https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/" class="">https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/</a><br class=""><br class=""></div><div class="">• Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks<br class=""><a href="https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/" class="">https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/</a><br class=""><br class=""></div><div class="">• Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov<br class=""><a href="https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf" class="">https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf</a><br class=""><br class=""></div><div class="">• Memcache Exploit<br class=""><a href="http://niiconsulting.com/checkmate/2013/05/memcache-exploit/" class="">http://niiconsulting.com/checkmate/2013/05/memcache-exploit/</a><br class=""></div></div></div></div></div></blockquote></div><br class=""></body></html>