Get the most out of your Centmin Mod LEMP stack
Become a Member

Memcached Memcrashed - Major amplification attacks from UDP port 11211

Discussion in 'Other Centmin Mod Installed software' started by pamamolf, Feb 28, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    44,693
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,794
    Local Time:
    11:11 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Centmin Mod CSF or non-Centmin Mod ? memcached listening on localhost/127.0.0.1 ? or not ? If listening locally then it isn't possible for the memcached server to be apart of the attack AFAIK ? Probably need to ask Hivelocity for the actual proof and how they detected a publicly open memcached server. Unless they also mistakenly used nmap and saw open|filtered state and came to the wrong conclusion that the state means = open when it fact it means = closed.
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,693
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,794
    Local Time:
    11:11 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    DDOS attack size record has been broken with Memcrashed at 1.7Tbps DDOS Attack World's biggest DDoS attack record broken after just five days

     
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,815
    370
    83
    May 31, 2014
    Ratings:
    +712
    Local Time:
    4:11 PM
    Nginx-1.17.x
    MariaDB 10.3.x
  4. eva2000

    eva2000 Administrator Staff Member

    44,693
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,794
    Local Time:
    11:11 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    thanks for heads up - but wow even worse that first though
     
  5. eva2000

    eva2000 Administrator Staff Member

    44,693
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,794
    Local Time:
    11:11 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    curious if you ended up figuring out if memcached 11211 UDP ports were actually open or if Hivelocity's checks were mistaken ?
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,693
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,794
    Local Time:
    11:11 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    hmmm Memcached DDoS Exploit Code and List of 17,000 Vulnerable Servers Released

     
  7. Matt

    Matt Moderator Staff Member

    862
    387
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +606
    Local Time:
    2:11 PM
    1.5.15
    MariaDB 10.2
    My customers asked the question, but I've not received a response. I know for a fact the port was closed on the firewall.
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,693
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,794
    Local Time:
    11:11 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Thanks Matt seems some web hosts are just throwing everything into the Memcrashed pile. I had one web host say my cpu load was due to Memcrashed, when it was in fact the VPS running out of disk space causing load issues heh.
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,693
    10,193
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,794
    Local Time:
    11:11 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    OVH write up https://www.ovh.com/ca/en/news/arti...de?xtor=ES-11-[news]-20180320-[memcached.cta]