Please do take a look at the cloudflare blog specifically as they name and shame OVH and Digital Ocean for being the primary sources of mega crap traffic
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ Also, policer all UDP all the time... UDP is unsafe at any speed. On Tue, Feb 27, 2018 at 12:28 PM Barry Greene <bgre...@senki.org> wrote: > Hello Fellow NANOGer, > > If you have not already seen it, experiences it, or read about it, working > to head off another reflection DOS vector. This time it is memcached on > port 11211 UDP & TCP. There are active exploits using these ports. > Reflection attacks and the memcached is not new. We know how reflection > attacks work (send a spoofed packet to a device and have it reflected back > (yes please deploy source address validation and BCP 38). > > Operators are asked to review their networks and consider updating their > Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP > port 11211 for all ingress and egress traffic. If you do not know about > iACLs or Explorable port filters, you can use this white paper details and > examples from peers on Exploitable Port Filters: > http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/ > > Enterprises are also asked to update their iACLs, Exploitable Port > Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress > and egress traffic. > > Deploying these filters will help protect your network, your organization, > your customers, and the Internet. > > Ping me 1:1 if you have questions. > > Sincerely, > > -- > Barry Raveendran Greene > Security Geek helping with OPSEC Trust > Mobile: +1 408 218 4669 > E-mail: bgre...@senki.org > > ---------------------------- > Resources on memcached Exploit (to evaluate your risk): > > More information about this attack vector can be found at the following: > > • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009) > http://www.jpcert.or.jp/at/2018/at180009.html > • Qrator Labs: The memcached amplification attacks reaching 500 > Gbps > > https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98 > • Arbor Networks: memcached Reflection/Amplification Description > and DDoS Attack Mitigation Recommendations > > https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ > • Cloudflare: Memcrashed – Major amplification attacks from UDP > port 11211 > > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ > • Link11: New High-Volume Vector: Memcached Reflection > Amplification Attacks > > https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/ > • Blackhat Talk: The New Page of Injections Book: Memcached > Injections by Ivan Novikov > > https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf > • Memcache Exploit > http://niiconsulting.com/checkmate/2013/05/memcache-exploit/ >
