nanog mailing list archives
Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
From: Denys Fedoryshchenko <denys () visp net lb>
Date: Wed, 28 Feb 2018 14:42:37 +0200
I want to add one software vendor, who is major contributor to ddos attacks. Mikrotik till now shipping their quite popular routers, with wide open DNS recursor, that don't have even mechanism for ACL in it. Significant part of DNS amplification attacks
are such Mikrotik recursors. They don't care till now. On 2018-02-28 14:31, Job Snijders wrote:
Dear all,Before the group takes on the pitchforks and torches and travels down to the hosting providers' headquarters - let's take a step back and look atthe root of this issue: the memcached software has failed both the Internet community and its own memcached users. It is INSANE that memcached is/was[1] shipping with default settingsthat make the daemon listen and respond on UDP on INADDR_ANY. Did nobodytake notes during the protocol wars where we were fodder for all the CHARGEN & NTP ordnance? The memcached software shipped with a crazy default that required no authentication - allowing everyone to interact with the daemon. This is an incredibly risky proposition for memcached users from aconfidentiality perspective; and on top of that the amplification factoris up to 15,000x. WHAT?! And this isn't even new information, open key/value stores have been asecurity research topic for a number of years, these folks reported thatin the 2015/2016 time frame they observed more than 100,000 open memcached instances: https://aperture-labs.org/pdf/safeconf16.pdf Vendors need to ensure that a default installation of their softwaredoes not pose an immediate liability to the user itself and those aroundthem. No software is deployed in a vacuum. A great example of how to approach things is the behavior of the PowerDNS DNS recursor: this recursor - out of the box - binds to only 127.0.0.1, and blocks queries from RFC 1918 space. An operator has to consciously perform multiple steps to make it into the danger zone. This is how things should be. Kind regards, Job [1]: https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 ps. promiscuous defaults are bad, mmkay? Ask your BGP vendor for RFC 8212 support today! :-)
Current thread:
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks, (continued)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Chip Marshall (Feb 27)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Justin Paine via NANOG (Feb 27)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Job Snijders (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Rich Kulawiec (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Job Snijders (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Denys Fedoryshchenko (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Grzegorz Janoszka (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mike Hammett (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Steve Atkins (Feb 27)
- Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Ca By (Feb 27)
- Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Dan Hollis (Feb 27)
- Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Rich Kulawiec (Feb 28)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Jean | ddostest.me via NANOG (Feb 28)