Memcached Memcrashed - Major amplification attacks from UDP port 11211

eva2000 · Mar 2, 2018

Matt said: ↑

Both of these servers have CSF installed and active with only the 3 default ports allowed for UDP.
Click to expand...

Centmin Mod CSF or non-Centmin Mod ? memcached listening on localhost/127.0.0.1 ? or not ? If listening locally then it isn't possible for the memcached server to be apart of the attack AFAIK ? Probably need to ask Hivelocity for the actual proof and how they detected a publicly open memcached server. Unless they also mistakenly used nmap and saw open|filtered state and came to the wrong conclusion that the state means = open when it fact it means = closed.

eva2000 · Mar 6, 2018

DDOS attack size record has been broken with Memcrashed at 1.7Tbps DDOS Attack World's biggest DDoS attack record broken after just five days

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it's clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.
Click to expand...

pamamolf · Mar 10, 2018

Kill switch found

Memcached DDoS attack ‘kill switch’ discovered

eva2000 · Mar 10, 2018

pamamolf said: ↑

Kill switch found

Memcached DDoS attack ‘kill switch’ discovered
Click to expand...

thanks for heads up - but wow even worse that first though

Corero Network Security has disclosed the existence of a practical ‘kill switch’ countermeasure for the Memcached vulnerability, responsible for some of the largest DDoS attacks ever recorded. At the same time, the company has warned that the vulnerability is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable Memcached servers.
Click to expand...

eva2000 · Mar 10, 2018

Matt said: ↑

Had 2 customers with HiVelocity receive the same mail from them today

Both of these servers have CSF installed and active with only the 3 default ports allowed for UDP.
Click to expand...

curious if you ended up figuring out if memcached 11211 UDP ports were actually open or if Hivelocity's checks were mistaken ?

eva2000 · Mar 10, 2018

hmmm Memcached DDoS Exploit Code and List of 17,000 Vulnerable Servers Released

Since last week when Memcached has been revealed as a new amplification/reflection attack vector, some hacking groups started exploiting unsecured Memcached servers.

But now the situation will get worse with the release of PoC exploit code, allowing anyone to launch massive DDoS attacks, and will not come under control until the last vulnerable Memcached server is patched, or firewalled on port 11211, or completely taken offline.

Moreover, cybercriminals groups have already started weaponizing this new DDoS technique to threaten big websites for extorting money.

Following last week's DDoS attack on GitHub, Akamai reported its customers received extortion messages delivered alongside the typically "junk-filled" attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.
Click to expand...

Matt · Mar 12, 2018

eva2000 said: ↑

curious if you ended up figuring out if memcached 11211 UDP ports were actually open or if Hivelocity's checks were mistaken ?
Click to expand...

My customers asked the question, but I've not received a response. I know for a fact the port was closed on the firewall.

eva2000 · Mar 12, 2018

Matt said: ↑

My customers asked the question, but I've not received a response. I know for a fact the port was closed on the firewall.
Click to expand...

Thanks Matt seems some web hosts are just throwing everything into the Memcrashed pile. I had one web host say my cpu load was due to Memcrashed, when it was in fact the VPS running out of disk space causing load issues heh.

eva2000 · Mar 20, 2018

OVH write up https://www.ovh.com/ca/en/news/arti...de?xtor=ES-11-[news]-20180320-[memcached.cta]

If a small number of open Memcached services were quickly corrected, there’s still quite a few of them that can be used to launch an attack. Just like NTP, it seems that the Memcached threat will be around for a long time. Even though the protective measures implemented by web hosting providers have reduced the size of the attacks - most of them are now under 100 Gbps - a correction of the configuration by the users remains the key factor. Now, the NTP case has shown us that even after 5 years some servers are still vulnerable in spite of patches being available.
Click to expand...

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Memcached Memcrashed - Major amplification attacks from UDP port 11211

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Memcached Memcrashed - Major amplification attacks from UDP port 11211

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.