Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] New DDoS amplification attack - memcached

Subject: Internet2 Network Security SIG

List archive

[Security-WG] New DDoS amplification attack - memcached


Chronological Thread 
  • From: Karl Newell <>
  • To: "" <>
  • Subject: [Security-WG] New DDoS amplification attack - memcached
  • Date: Wed, 28 Feb 2018 02:42:55 +0000
  • Accept-language: en-US
  • Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
  • Ironport-phdr: 9a23:bsFBnxeuruX0Gm0Qf2qLIFHklGMj4u6mDksu8pMizoh2WeGdxcWzYR7h7PlgxGXEQZ/co6odzbaO6Oa4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahb75+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM38H/ZhNFsjKxVoxyhpgBwzIHPbY6PKPZ+e7nQcc8GSWdDWMtaSixPApm7b4sKF+cPOPxXr5P5p1ATtRWxGwetC/3ryj9Mm3T72q460+I/HgDIwgMgG9YOvW/VrNXzKKcdT/q1zK/WwjXfcf9awyny55XVch04p/yHQLx+cc3UyUY1FgPFiE2dppb/PzyO0eQNqW6b4PR8VeOhjG4nsQJxoiO1ysgwjYnJg5oZxUzA9SV+3YY6ONO4SEphbt6+DpRcrT2VN4xzQs4kXmpmuz46x6UYtZGhYCQG1ZEqywPCZ/CadoWI7B3uWPqNLTp9hn9qZr2yiAy3/EWl1OHwSsm53E5UoidEjtXAqnUA2h/Q58SbVvdw+0Ws1DKM2gzP7+xJL1o7mbTeJpMu37I8i4AcvEHMEyDthUr7jaqbdks69eim8OvqZ7TrqoGSOoBqjAz1L74gldalAesiNwgDR2ib9vq41L3k5UD3WKlHgPoqnqTXqZzXOMYUqrCgDw9SyYks9QyzDzC70NQEhnYHK09FeBSagITzI1HOOvf4DeuhjFuwjDdrxvfGPrv7DpXKM3jDjLPhfbF6605f0gY80ddf55dMBrEAJvL8RFPxucTGAhAjLwC43uPqBMhg2o8DXG+PDKCUPL/OvVKN5O8gPeaBa5UQtTv4NfQp+/7jgWc8mVAHfKmp2ZUXaGq/HvRjO0iZYnzsjckPEGgUugo+SPfniFyEUT5PeXmyRaQ86S8nCI64F4vMWJ2igKGZ0CehApJWfnxGCkyLEXrwbIWLResDaD+IIs9gjjwFVaGtSoEu1Ry1sA/6yqFnLvbP+iEGr57j1d515/HNmhEo8zx7Edid33+XQ25qg2wIWmx+4Kcq61dwwUqZ0LRpxuNXPd1V+/5TVAomb9jRw/EwQ4TpVwncZNaVWRO5Tf2nBy08VNQ834VIbkpgTYaMlBfGigmjGbtdsbGUCZgwuvbf2XXuKsJ543fAyKQ7iVQ6GI1COXDw1f03zBTaG4OcyxbRrK2tb6lJhCM=
  • Spamdiagnosticoutput: 1:0

Hey all,

 

Be on the lookout for a new DDoS amplification attack leveraging memcached.  Reports indicate an amplification factor as high as 51,000.

 

https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

 

Check your flows for UDP/11211.  Attack traffic will be sourced from that port while traffic destined to that port (and TCP/11211) may indicate you are being used to launch attacks.  In most (dare I say all?) scenarios, memcached does not need to be publicly accessible so get it firewalled and/or disable UDP.

 

Please share any updates if you see attacks.

 

Cheers,

Karl


Archive powered by MHonArc 2.6.19.

Top of Page