New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

[Barry Greene]

Hi IDNOG Team,

If you have not already seen it, experiences it, or read about it, working to head off another reflection DOS vector. This time it is memcached on port 11211 UDP & TCP. There are active exploits using these ports. The attacks started in Europe over the last couple of days. 

* We’re doing an Operator notification to get more to deploy Exploitable Port Filters (iACLs). Please let me know 1:1 if your team blogs about this (I’ll add to the resource list).

* Operators are asked to review their networks and consider updating their Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic. If you do not know about iACLs or Explorable port filters, you can use this white paper details and examples from peers on Exploitable Port Filters: http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/

* Enterprises are also asked to update their iACLs, Exploitable Port Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.

Deploying these filters will help protect your network, your organization, your customers, and the Internet.

Ping me 1:1 if you have questions. I’m doing updates here: http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/.

Sincerely,

--
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: bgr...@senki.org

----------------------------
Resources on memcached Exploit (to evaluate your risk):

More information about this attack vector can be found at the following:

• JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
http://www.jpcert.or.jp/at/2018/at180009.html

• Qrator Labs: The memcached amplification attacks reaching 500 Gbps
https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98

• Arbor Networks: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations
https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/

• Cloudflare: Memcrashed – Major amplification attacks from UDP port 11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

• Link11: New High-Volume Vector: Memcached Reflection Amplification Attacks
https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/

• Blackhat Talk: The New Page of Injections Book: Memcached Injections by Ivan Novikov
https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf

• Memcache Exploit
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/

[Dewangga Bachrul Alam]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

Thanks for your notification, Barry.
Is it reflect to internal memcached server? (Even it's not exposed to
the public internet).

On 02/28/2018 03:52 AM, Barry Greene wrote:
> Hi IDNOG Team,
>
> If you have not already seen it, experiences it, or read about it,
> working to head off another reflection DOS vector. This time it is
> memcached on port 11211 UDP & TCP. There are active exploits using
> these ports. The attacks started in Europe over the last couple of
> days.
>
> * We’re doing an Operator notification to get more to deploy
> Exploitable Port Filters (iACLs). Please let me know 1:1 if your
> team blogs about this (I’ll add to the resource list).
>
> * Operators are asked to review their networks and consider
> updating their Exploitable Port Filters (Infrastructure ACLs) to
> track or block UDP/TCP port 11211 for all ingress and egress
> traffic. If you do not know about iACLs or Explorable port
> filters, you can use this white paper details and examples from
> peers on Exploitable Port Filters:
> http://www.senki.org/operators-security-toolkit/filtering-exploitable-
ports-and-minimizing-risk-to-and-from-your-customers/
>
>

<http://www.senki.org/operators-security-toolkit/filtering-exploitable
- -ports-and-minimizing-risk-to-and-from-your-customers/>

>
> * Enterprises are also asked to update their iACLs, Exploitable
> Port Filters, and Firewalls to track or block UDP/TCP port 11211
> for all ingress and egress traffic.
>
> Deploying these filters will help protect your network, your
> organization, your customers, and the Internet.
>
> Ping me 1:1 if you have questions. I’m doing updates here:
> http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/
>
>

<http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/
> .

>
>
>
> Sincerely,
>
> -- Barry Raveendran Greene Security Geek helping with OPSEC Trust
> Mobile: +1 408 218 4669 E-mail: bgr...@senki.org

> <mailto:bgr...@senki.org>

>
> ---------------------------- Resources on memcached Exploit (to
> evaluate your risk):
>
> More information about this attack vector can be found at the
> following:
>
> • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
> http://www.jpcert.or.jp/at/2018/at180009.html
> <http://www.jpcert.or.jp/at/2018/at180009.html>
>
> • Qrator Labs: The memcached amplification attacks reaching 500
> Gbps
> https://medium.com/@qratorlabs/the-memcached-amplification-attack-reac
hing-500-gbps-b439a7b83c98
>
>

<https://medium.com/@qratorlabs/the-memcached-amplification-attack-rea
ching-500-gbps-b439a7b83c98>

>
> • Arbor Networks: memcached Reflection/Amplification Description
> and DDoS Attack Mitigation Recommendations
> https://www.arbornetworks.com/blog/asert/memcached-reflection-amplific
ation-description-ddos-attack-mitigation-recommendations/
>
>

<https://www.arbornetworks.com/blog/asert/memcached-reflection-amplifi
cation-description-ddos-attack-mitigation-recommendations/>

>
> • Cloudflare: Memcrashed – Major amplification attacks from UDP
> port 11211
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-fro
m-port-11211/
>
>

<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-fr
om-port-11211/>

>
> • Link11: New High-Volume Vector: Memcached Reflection
> Amplification Attacks
> https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflec
tion-amplification-attacks/
>
>

<https://www.link11.com/en/blog/new-high-volume-vector-memcached-refle
ction-amplification-attacks/>

>
> • Blackhat Talk: The New Page of Injections Book: Memcached
> Injections by Ivan Novikov
> https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Pa
ge-Of-Injections-Book-Memcached-Injections-WP.pdf
>
>

<https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-P
age-Of-Injections-Book-Memcached-Injections-WP.pdf>
>
> • Memcache Exploit
> http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
> <http://niiconsulting.com/checkmate/2013/05/memcache-exploit/>
>
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCAA5FiEEZpxiw/Jg6pEte5xQ5X/SIKAozXAFAlqWG34bHGRld2FuZ2dh
YmFAeHRyZW1lbml0cm8ub3JnAAoJEOV/0iCgKM1wsVEP/jHUD+3OTs0d4UyDD+XA
0ZVrt/Usc3gUHmg2hsfQG5i+xFTzV4Ya3Ubw+afp2bXEjyEGElT57vNyECBbiepz
+M53jbZ0ha9mqm8skFCipChhbD/RHCmGPCZu2zsGR+/3aaXKod/iZdLhGfGiBvAy
z9tTdubm+RE8qzhk8abOM/cSXsV5lTjPMNE9dfSXPwhhlgGeRo42jkda7q8aaIib
1kVFViuqEOAxFbjO/sSz1QUomq8kYSel+PEAz4iOa7xCN/rUNs/KR5d5jLVvAF+U
gFRdfSZGSI5rVkiCi8ft5wcmhBqWyFH2CKBnDRn/iDxXOdeyvQo/3Hc6YMUoeliU
+cUWt0C9ERTG0E50MCuh3iQR7wlBWKOUv8L0ojBcW9JJg+w64HrfkbfdxRM8B3uW
Ys8IieFjtHQsSzcKp6WSqt7bQcQ8qMJdmsSN9g7CIjtO/YC0Pzix7ZWVha5Sq5n6
9aD86if5uALfYNekst6gatdlHkyF3zej8020QfSNsDmXN6fo7MofUgd61iIftue8
1BIOX2dvLPIRIYJmYTejsoBXU7rV7QBHVP3IpY/h4mQd9hvjT+6g1NcvQavaIiYB
aaqoI6GYf6fcJPu5hKbl4DvOOtxMJp2utJrCYP5/DAFiqlAEwDaPLjbTLpBnW4xC
rJoiY+GNUvuDyLS/EKFNPhFI
=+TWK
-----END PGP SIGNATURE-----

[Barry Greene]

On Feb 27, 2018, at 10:01 PM, Dewangga Bachrul Alam <dewan...@xtremenitro.org> wrote:

Is it reflect to internal memcached server? (Even it's not exposed to
the public internet).

It is exploitable when open to the Internet. People are scanning and using for exploitation.