memcached on port 11211 UDP & TCP being exploited [source: senki]

06 Mar 2018

No Comments

1502

UPDATE: As of 2018-03-02 ( Afternoon Update), more attack using the memcached reflection vector have been unleashed on the Internet. As shared by Akamai Technologies “memcached-fueled 1.3 Tbps Attacks,” the application factors are “Internet Impacting.” Mitigation and Remediation Efforts are reducing the number of potential memcached reflectors. Please keep up the good work.

Operators are asked to port filter (Exploitable Port Filters), rate limits the port 11211 UDP traffic (ingress and egress), and clean up any memcached exposed to the Internet (iptables on UNIX works). These mitigations should be on IPv4 and IPv6! There is not excuse for ISPs, Telcos, and other operators for not acting. NTT is an example of action. As stated by Job Snijders <job@ntt.net> on the NANOG List:

“NTT too has deployed rate limiters on all external facing interfaces on the GIN backbone – for UDP/11211 traffic – to dampen the negative impact of open memcached instances on peers and customers.

The toxic combination of ‘one spoofed packet can yield multiple reponse packets’ and ‘one small packet can yield a very big response’ makes the
memcached UDP protocol a fine example of double trouble with potential for severe operational impact.”

Recommendations for ISPs, Telcos, Mobile Operators, and Cloud Providers

All Operators and Enterprise Networks – memcached on port 11211 UDP & TCP being exploited. This is now new. We know how reflection attacks work (send a spoofed packet to a device and have it reflected back. This vector has an extremely high amplification rate (ranges vary per test, but all of them are huge). One operator reported one reflection inbound produced +500 Mbps stream outbound.

For more, click here.