[apnic-talk] New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

To: apnic-talk@apnic.net
Subject: [apnic-talk] New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
From: Barry Greene <bgreene@senki.org>
Date: Tue, 27 Feb 2018 15:20:47 -0500
Delivered-to: apnic-talk@clove.apnic.net
List-archive: <http://mailman.apnic.net/mailing-lists/apnic-talk/>
List-help: <mailto:apnic-talk-request@lists.apnic.net?subject=help>
List-id: General discussions on APNIC <apnic-talk.lists.apnic.net>
List-post: <mailto:apnic-talk@lists.apnic.net>
List-subscribe: <https://mailman.apnic.net/mailman/listinfo/apnic-talk>, <mailto:apnic-talk-request@lists.apnic.net?subject=subscribe>
List-unsubscribe: <https://mailman.apnic.net/mailman/options/apnic-talk>, <mailto:apnic-talk-request@lists.apnic.net?subject=unsubscribe>

Hello Fellow APNIC Colleagues,

We (various Operator Security Community) are working to head off another reflection DOS vector.

All Operators and Enterprise Networks – memcached on port 11211 UDP & TCP being exploited. This is now new. We know how reflection attacks work (send a spoofed packet to a device and have it reflected back (see illustration).

Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. This white paper provides details on Exploitable Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/

Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.

Deploying these filters will help protect your network, your organization, your customers, and the Internet.

Ping me 1:1 if you have questions.

Sincerely,

--
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: bgreene@senki.org

----------------------------
Resources on memcached Exploit (to evaluate your risk):

More information about this attack vector can be found at the following:

	• JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
http://www.jpcert.or.jp/at/2018/at180009.html
	• Qrator Labs: The memcached amplification attacks reaching 500 Gbps
https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
	• Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations
https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
	• Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
	• Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks
https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
	• Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov
https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
	• Memcache Exploit
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/

Attachment: signature.asc
Description: Message signed with OpenPGP