This is just stupid. OVH is one of the largest server providers in the world - of course they will be at the top of that list. What exactly should they do, according to you? Why should people de-peer them?
Regards, Filip Hruska > > On 28 Feb 2018 at 1:13 am, <Dan Hollis> wrote: > > > OVH does not suprise me in the least. Maybe this is finally what it will > take to get people to de-peer them. -Dan On Tue, 27 Feb 2018, Ca By wrote: > > Please do take a look at the cloudflare blog specifically as they name and > > shame OVH and Digital Ocean for being the primary sources of mega crap > > traffic > > > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ > > > Also, policer all UDP all the time... UDP is unsafe at any speed. > > > > On Tue, Feb 27, 2018 at 12:28 PM Barry Greene wrote: > >> Hello > Fellow NANOGer, >> >> If you have not already seen it, experiences it, or > read about it, working >> to head off another reflection DOS vector. This > time it is memcached on >> port 11211 UDP & TCP. There are active > exploits using these ports. >> Reflection attacks and the memcached is not > new. We know how reflection >> attacks work (send a spoofed packet to a > device and have it reflected back >> (yes please deploy source address > validation and BCP 38). >> >> Operators are asked to review their > networks and consider updating their >> Exploitable Port Filters > (Infrastructure ACLs) to track or block UDP/TCP >> port 11211 for all > ingress and egress traffic. If you do not know about >> iACLs or Explorable > port filters, you can use this white paper details and >> examples from > peers on Exploitable Port Filters: >> > http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/ > >> >> Enterprises are also asked to update their iACLs, Exploitable Port > >> Filters, and Firewalls to track or block UDP/TCP port 11211 for all > ingress >> and egress traffic. >> >> Deploying these filters will help > protect your network, your organization, >> your customers, and the > Internet. >> >> Ping me 1:1 if you have questions. >> >> Sincerely, > >> >> -- >> Barry Raveendran Greene >> Security Geek helping with > OPSEC Trust >> Mobile: +1 408 218 4669 >> E-mail: bgre...@senki.org >> > >> ---------------------------- >> Resources on memcached Exploit (to > evaluate your risk): >> >> More information about this attack vector can > be found at the following: >> >> • JPCERT – memcached のアクセス制御に関する注意喚起 > (JPCERT-AT-2018-0009) >> http://www.jpcert.or.jp/at/2018/at180009.html >> > • Qrator Labs: The memcached amplification attacks reaching 500 >> Gbps >> > >> > https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98 > >> • Arbor Networks: memcached Reflection/Amplification Description >> > and DDoS Attack Mitigation Recommendations >> >> > https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/ > >> • Cloudflare: Memcrashed – Major amplification attacks from UDP >> > port 11211 >> >> > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ > >> • Link11: New High-Volume Vector: Memcached Reflection >> > Amplification Attacks >> >> > https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/ > >> • Blackhat Talk: The New Page of Injections Book: Memcached >> > Injections by Ivan Novikov >> >> > https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf > >> • Memcache Exploit >> > http://niiconsulting.com/checkmate/2013/05/memcache-exploit/ >> > >