netsec-sig - Re: [Security-WG] New DDoS amplification attack - memcached
Subject: Internet2 Network Security SIG
List archive
- From: Karl Newell <>
- To: "" <>
- Subject: Re: [Security-WG] New DDoS amplification attack - memcached
- Date: Thu, 1 Mar 2018 18:40:16 +0000
- Accept-language: en-US
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
- Ironport-phdr: 9a23:qTkhkR/kxLDh7P9uRHKM819IXTAuvvDOBiVQ1KB22+kcTK2v8tzYMVDF4r011RmVBd6ds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+55Pebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMMvrRr42RDui9b9mRh/2hikaKz43/mLZis1sg61Uux+uvQBzw4vObY2JKPZzfKXQds4aS2pbWcZRUjRMDIamYIsVC+oKIP5WoJfzplQQqRu+ARSnCeTsyj9OmHD307M10+AlEQzd3QwgGc4Ov2rOrNXzKqgSTf65wLPWwjrecvNbwDHw45XGfBAmpPGDR7NwcczJxEY1DQPKlVKQqZbjPzyLyuQMvW+b7/BjVeK0kWIotwZxoj23ysctjInJmpwaykrC9Spn3IY5O8e0R1Bmbt65CJdfqyWaN4xrQsw/TWFovDw1yqcYtpKhYCcKz5EnyhjCYPKEa4iF+gzvWPuQLDtiin9pZqiziwux/ES80OHxVtS43E5UoidEjtXAqnUA2h/Q58SbVvdw+0Ws1DKM2gzP7+xJL1o7mbTeJpMi37E/iJQevEHAEyDqhUr2gqqbe0Yk9+Wo5OnqZ7brqYSBO4NojAz1L74gldalAesiNwgDR2ib9vq41L3k5UD3WKlHgPoqnqTXqZzXOMYUqrCgDw9SyYks9QyzDzC70NQEhnYHK09FeBSagITzI1HOOvf4DeuhjFuwjDdrxvfGPrv7DpXKM3jDjLPhfbF6605f0gY80ddf55dMBrEAJvL8RFPxucTGAhMkMgG42ejqBMtn2o8DWm+DHrWVPaPPvVOQ4+IgOeiMZIsbuDbnLPgl4ubjjXw/mVADc6imw58XaHSjE/RnJUWZfWTjgs0HEWgUogoyUvbmh0OfXj5Of3qyRb4z5iknCIK6CofOXputj6Kd0yemBJ1WZ3xGC1CVHXbmeIWJQPMMaCOJIs99iTwIS6KtS44n1RGyqgD60bxnIfTI+iEGr57sysV65/CA3S01oHZvAs+AyWCRXiRrkUsJQSM7xqZyvRY7x1uem+AsmPFTCMZS++IMTQgSNJjAwvZ8BsyoHA/NY4HaZkyhR4CFCCs1BvQ83NIKZw4pGNOvkR3H2wKrBaMYjbqGGMZy/67BiSuib/1hwmrLgfFyx2ItRdFCYDWr
- Spamdiagnosticoutput: 1:0
|
FYI, perfsonar uses memcached and is listening on UDP/11211. The default PS toolkit firewall rules block public access to the port but you should confirm (we’ve found one vulnerable perfsonar node already). An update from the perfsonar team: https://lists.internet2.edu/sympa/arc/perfsonar-announce/2018-03/msg00000.html Cheers, Karl From: <> on behalf of Karl Newell <> Be on the lookout for a new DDoS amplification attack leveraging memcached. Reports indicate an amplification factor as high as 51,000. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ Check your flows for UDP/11211. Attack traffic will be sourced from that port while traffic destined to that port (and TCP/11211) may indicate you are being used
to launch attacks. In most (dare I say all?) scenarios, memcached does not need to be publicly accessible so get it firewalled and/or disable UDP. Please share any updates if you see attacks. Cheers, Karl |
- Re: [Security-WG] New DDoS amplification attack - memcached, Karl Newell, 03/01/2018
Archive powered by MHonArc 2.6.19.