Join the community today
Become a Member

Memcached Memcrashed - Major amplification attacks from UDP port 11211

Discussion in 'Other Centmin Mod Installed software' started by pamamolf, Feb 28, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,834
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,075
    Local Time:
    10:55 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod CSF or non-Centmin Mod ? memcached listening on localhost/127.0.0.1 ? or not ? If listening locally then it isn't possible for the memcached server to be apart of the attack AFAIK ? Probably need to ask Hivelocity for the actual proof and how they detected a publicly open memcached server. Unless they also mistakenly used nmap and saw open|filtered state and came to the wrong conclusion that the state means = open when it fact it means = closed.
     
  2. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,834
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,075
    Local Time:
    10:55 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    DDOS attack size record has been broken with Memcrashed at 1.7Tbps DDOS Attack World's biggest DDoS attack record broken after just five days

     
    • Optimistic Optimistic x 1
  3. pamamolf

    pamamolf Well-Known Member

    3,112
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    3:55 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,834
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,075
    Local Time:
    10:55 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    thanks for heads up - but wow even worse that first though
     
  5. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,834
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,075
    Local Time:
    10:55 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    curious if you ended up figuring out if memcached 11211 UDP ports were actually open or if Hivelocity's checks were mistaken ?
     
  6. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,834
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,075
    Local Time:
    10:55 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    hmmm Memcached DDoS Exploit Code and List of 17,000 Vulnerable Servers Released

     
  7. Matt

    Matt Moderator Staff Member

    760
    342
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +508
    Local Time:
    1:55 AM
    1.7.1
    MariaDB 10
    My customers asked the question, but I've not received a response. I know for a fact the port was closed on the firewall.
     
    • Informative Informative x 1
  8. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,834
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,075
    Local Time:
    10:55 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Thanks Matt seems some web hosts are just throwing everything into the Memcrashed pile. I had one web host say my cpu load was due to Memcrashed, when it was in fact the VPS running out of disk space causing load issues heh.
     
  9. eva2000

    eva2000 Administrator Staff Member

    35,522
    7,834
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,075
    Local Time:
    10:55 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    OVH write up https://www.ovh.com/ca/en/news/arti...de?xtor=ES-11-[news]-20180320-[memcached.cta]

     
..