Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] New DDoS amplification attack - memcached

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] New DDoS amplification attack - memcached


Chronological Thread 
  • From: "Spurling, Shannon" <>
  • To: "" <>
  • Subject: Re: [Security-WG] New DDoS amplification attack - memcached
  • Date: Wed, 28 Feb 2018 04:10:37 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:6NjETBQ77Jt6aWfFzOdJ405T/Npsv+yvbD5Q0YIujvd0So/mwa6yYhKN2/xhgRfzUJnB7Loc0qyK6/umATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfb1/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHJhMJtkKJVrhGvpxJ9zIHIb46YL+Bxcr/ffd4AWWZNQttdWipcCY28dYsPCO8BMP5Wo4fgv1sOsAG+BQ2tBOPpxT9EnmL907A60+s7FwHG2gsgH9QAvH/Jq9j1L6cSXvqzzKnOyjXDaehb2TL66IjSbB8tu/eMUqxsccfIz0QkCg3LjlKVqYP/PjOV0PwAvHKB7+V7UuKvkWgnpB9tojmhwccskIrJhpkPxl/Y8iV5xZ45KsG8SE58fN6rDZVQtyWAOItsXMwuWX1nuCE/yrAApJW1fzAKxYw6yxPbaPGLaZaE7g7nWeqLLjp1gGhpdKyxihu86USs1+nxW8qu3FpUsiZIlsPAu3AM2hDJ98SKTv1w9Vq71zmVzQDc8ORELFg0laXFL54hxaY9locWsUjaGC/2mV32gaGMekU5/+ik8fnnYrD9pp6cLI90lh/xMqE0lsOhHOs4LxACX2md+euiyL3u5VD1TbFJg/EsjKXVrJTXKd4Uq6O9GQNZzIgu5hinAzejytsYnH0HLFxfeBKAiojkI0rOIPDiAve5hVSslzFryuvDPr3mGJXCMGLPkLH/crZh80Jc0hY8zchD55JIDbEMOOnzVVHtu9zFFB85MhC0wub+BNRz2YMTQmaPAq6CMKPOql+E+PgjI+iKZI8Jpjn9Mf4l6ODyjXMng1MSY7Sm3YZEIEy/S759Lk6Ee3vwk5IeHk8LuBYzVurnlAfEXDJOLT7mRK83+ys6FJPjEojrR4axjaaH0TvhWJBaezYVJEqLFCKiTJ2ZQfMNbi3WavRhmzoCUr7rA9s61Riosgj8479gNOeS/CAE48GwnONp7vHewElhvQd/CN6QhjmA
You'r a couple hours late. Just saw it generate in excess of 40Gbps in a series of 2 consecutive 15 minute events aginst a single ip/site security apppliance earlier this afternoon. It was ugly. Haven't seen something of that scale in a couple of years.


Sent via the Samsung Galaxy S® 6, an AT&T 4G LTE smartphone


-------- Original message --------
From: Karl Newell <>
Date: 2/27/18 8:43 PM (GMT-06:00)
To:
Subject: [Security-WG] New DDoS amplification attack - memcached

Hey all,

 

Be on the lookout for a new DDoS amplification attack leveraging memcached.  Reports indicate an amplification factor as high as 51,000.

 

https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

 

Check your flows for UDP/11211.  Attack traffic will be sourced from that port while traffic destined to that port (and TCP/11211) may indicate you are being used to launch attacks.  In most (dare I say all?) scenarios, memcached does not need to be publicly accessible so get it firewalled and/or disable UDP.

 

Please share any updates if you see attacks.

 

Cheers,

Karl


Archive powered by MHonArc 2.6.19.

Top of Page