Hello Fellow APNIC Colleagues, We (various Operator Security Community) are working to head off another reflection DOS vector. All Operators and Enterprise Networks – memcached on port 11211 UDP & TCP being exploited. This is now new. We know how reflection attacks work (send a spoofed packet to a device and have it reflected back (see illustration). Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. This white paper provides details on Exploitable Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/ Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic. Deploying these filters will help protect your network, your organization, your customers, and the Internet. Ping me 1:1 if you have questions. Sincerely, -- Barry Raveendran Greene Security Geek helping with OPSEC Trust Mobile: +1 408 218 4669 E-mail: bgreene@senki.org ---------------------------- Resources on memcached Exploit (to evaluate your risk): More information about this attack vector can be found at the following: • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009) http://www.jpcert.or.jp/at/2018/at180009.html • Qrator Labs: The memcached amplification attacks reaching 500 Gbps https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98 • Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ • Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211 https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ • Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/ • Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf • Memcache Exploit http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
Attachment:
signature.asc
Description: Message signed with OpenPGP