[prev in list] [next in list] [prev in thread] [next in thread]
List: afnog
Subject: [afnog] New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
From: Barry Greene <bgreene () senki ! org>
Date: 2018-02-28 3:44:33
Message-ID: 1E00D1ED-586C-4204-91B2-3CBEE89CDDED () senki ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/alternative)]
The posting is sent to APOPS, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG, TZNOG, MENOG, \
SDNOG, LACNOG, IRNOG, MYNOG, SGOPS, and the RIPE Routing WG.
If you have not already seen it, experiences it, or read about it, working to head \
off another reflection DOS vector. This time it is memcached on port 11211 UDP & TCP. \
There are active exploits using these ports. The attacks started in Europe over the \
last couple of days.
* We're doing an Operator notification to get more to deploy Exploitable Port Filters \
(iACLs). Please let me know 1:1 if your team blogs about this (I'll add to the \
resource list).
* Operators are asked to review their networks and consider updating their \
Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 \
for all ingress and egress traffic. If you do not know about iACLs or Explorable port \
filters, you can use this white paper details and examples from peers on Exploitable \
Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/ \
<http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/>
* Enterprises are also asked to update their iACLs, Exploitable Port Filters, and \
Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.
Deploying these filters will help protect your network, your organization, your \
customers, and the Internet.
Ping me 1:1 if you have questions. I'm doing updates here: \
http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/ \
<http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/>.
Sincerely,
--
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: bgreene@senki.org <mailto:bgreene@senki.org>
----------------------------
Resources on memcached Exploit (to evaluate your risk):
More information about this attack vector can be found at the following:
• JPCERT – memcached のアクセス制御に関する注意喚起 \
(JPCERT-AT-2018-0009) http://www.jpcert.or.jp/at/2018/at180009.html \
<http://www.jpcert.or.jp/at/2018/at180009.html>
• Qrator Labs: The memcached amplification attacks reaching 500 Gbps
https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98 \
<https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98>
• Rapid 7: The Flip Side of memcrashed
https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/ \
<https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/>
• Akamai: Memcached UDP Reflection Attacks
https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html \
<https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html>
• Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack \
Mitigation Recommendations \
https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ \
<https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/>
• Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ \
<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>
• Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks
https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/ \
<https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/>
• Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan \
Novikov https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf \
<https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf>
• Memcache Exploit
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/ \
<http://niiconsulting.com/checkmate/2013/05/memcache-exploit/>
[Attachment #7 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class=""><meta http-equiv="Content-Type" \
content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><meta \
http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html \
charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class=""><div class="">The posting is sent to \
APOPS, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG, TZNOG, MENOG, SDNOG, LACNOG, \
IRNOG, MYNOG, SGOPS, and the RIPE Routing WG.<br class=""><br class="">If you have \
not already seen it, experiences it, or read about it, working to head off another \
reflection DOS vector. This time it is memcached on port 11211 UDP & TCP. There \
are active exploits using these ports. The attacks started in Europe over the last \
couple of days. </div><div class=""><br class=""></div><div class="">* We're \
doing an Operator notification to get more to deploy Exploitable Port Filters \
(iACLs). Please let me know 1:1 if your team blogs about this (I'll add to the \
resource list).<br class=""><br class="">* Operators are asked to review their \
networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) \
to track or block UDP/TCP port 11211 for all ingress and egress traffic. If you do \
not know about iACLs or Explorable port filters, you can use this white paper details \
and examples from peers on Exploitable Port Filters: <a \
href="http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/" \
class="">http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/</a><br \
class=""><br class="">* Enterprises are also asked to update their iACLs, Exploitable \
Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and \
egress traffic.<br class=""><br class="">Deploying these filters will help protect \
your network, your organization, your customers, and the Internet.<br class=""><br \
class="">Ping me 1:1 if you have questions. I'm doing updates here: <a \
href="http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/" \
class="">http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/</a>.</div><div \
class=""><br class=""></div><div class=""><br class=""></div><div \
class="">Sincerely,<br class=""><br class="">--<br class="">Barry Raveendran \
Greene<br class="">Security Geek helping with OPSEC Trust<br class="">Mobile: +1 408 \
218 4669<br class="">E-mail: <a href="mailto:bgreene@senki.org" \
class="">bgreene@senki.org</a><br class=""><br \
class="">----------------------------<br class="">Resources on memcached Exploit (to \
evaluate your risk):<br class=""><br class="">More information about this attack \
vector can be found at the following:<br class=""><br class="">• JPCERT – \
memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)<br \
class=""><a href="http://www.jpcert.or.jp/at/2018/at180009.html" \
class="">http://www.jpcert.or.jp/at/2018/at180009.html</a><br class=""><br \
class=""></div><div class="">• Qrator Labs: The memcached amplification attacks \
reaching 500 Gbps<br class=""><a \
href="https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98" \
class="">https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98</a></div><div \
class=""><br class=""></div><div class=""><div class="">• Rapid 7: The Flip Side of \
memcrashed<br class=""><a \
href="https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/" \
class="">https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/</a><br \
class=""></div><div class=""><br class=""></div><div class="">• Akamai: Memcached \
UDP Reflection Attacks<br class=""><a \
href="https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html" \
class="">https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html</a></div><div \
class=""><br class=""></div></div><div class="">• Arbor Networks: memcached \
Reflection/Amplification Description and DDoS Attack Mitigation Recommendations<br \
class=""><a href="https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/" \
class="">https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/</a><br \
class=""><br class=""></div><div class="">• Cloudflare: Memcrashed – Major \
amplification attacks from UDP port 11211<br class=""><a \
href="https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/" \
class="">https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/</a><br \
class=""><br class=""></div><div class="">• Link11: New High-Volume Vector: \
Memcached Reflection Amplification Attacks<br class=""><a \
href="https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/" \
class="">https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/</a><br \
class=""><br class=""></div><div class="">• Blackhat Talk: The New Page of \
Injections Book: Memcached Injections by Ivan Novikov<br class=""><a \
href="https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf" \
class="">https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf</a><br \
class=""><br class=""></div><div class="">• Memcache Exploit<br class=""><a \
href="http://niiconsulting.com/checkmate/2013/05/memcache-exploit/" \
class="">http://niiconsulting.com/checkmate/2013/05/memcache-exploit/</a><br \
class=""></div></div></div></div></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEdoGA/YBcwd1ud+j1VW6TcBa/RfMFAlqWJaEACgkQVW6TcBa/
RfOciAf/X4xexbE0aTYTtbRjVWZr4zHZlz0bP2FWaTkw/661+uAahxMrp5r3VmaK
bJ2PeGYifBa0nCry4/R2ihx0FMC1lRUQW/FLNAs6oYptpz0uIULVUpvWFonePE5E
+NXXT7OtaTFgbu+e6urM3yNnofVekwCSt7bRphNRgKN9aR+7zl3LY6ixr8yMvMw9
6xnDjBqzw3HGCjigVrj1zuwh3UBkVSNMFFBffWgEST31IDqshMvtjkp3U2+LCnaZ
D+DK62Kbw5CQ0C8MVFlbOU6GbtVp4+SqBkFVt15TvuGjk6QN37P//OScJc04O86u
valLbbKoAdocnCXcFdOCNeAf5B6akQ==
=wtmP
-----END PGP SIGNATURE-----
_______________________________________________
afnog mailing list
https://www.afnog.org/mailman/listinfo/afnog
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic