Results 1 to 8 of 8
-
02-27-2018, 08:12 PM #1Web Hosting Master
- Join Date
- Feb 2012
- Location
- Dallas, Texas
- Posts
- 807
"Memcrashed" - Major amplification attacks from UDP port 11211 - DDoS Attacks
Cloudflare confirmed earlier today what a lot of providers already knew, since around the 20th of February large UDP attacks have been banging on the door of networks around the world.
A commit to the memcache github in 2008 by Brian Aker which enabled UDP by default for the memcache service now has an unforeseen consequence.
According to Rapid7’s Project Sonar, there are over 100,000 exposed memcached servers at any given time. "Memcached over UDP makes for an ideal amplifier — the spoofed source requests from an attacker are tiny, and the resulting replies to the spoofed source can be enormous."
Attacks so far have peaked around 260Gbps.
https://www.arbornetworks.com/blog/a...commendations/
https://blog.cloudflare.com/memcrash...om-port-11211/
https://blog.rapid7.com/2018/02/27/t...of-memcrashed/Swiftnode.net − Performance VPS, Dedicated Servers & Game Servers
12 Global Locations − North America, Europe, Japan, India, and Australia
Always-On DDoS Mitigation (UDP & TCP) − Optimized Routing − 24/7 Support
-
02-27-2018, 10:16 PM #2Junior Guru
- Join Date
- Mar 2013
- Location
- North and South America
- Posts
- 192
US-CERT Alert (TA14-017A)
UDP-Based Amplification Attacks
https://www.us-cert.gov/ncas/alerts/TA14-017A
-
02-27-2018, 10:25 PM #3Web Hosting Master
- Join Date
- Mar 2007
- Posts
- 2,050
This is old news to me, found this issue back in day due to running extremely secure environments and conducting penetration tests against all services. Resolution was to only allow local connections to memcached per server if it was web accessible. UDP is normally faster than TCP, and no need to disable it if it is not publicly accessible. The speed is exactly why it should be used for local trusted connections (e.g. not for shared hosting) with proper firewall rules in place so only traffic that is intended can be accessed (web, mail, etc.) and everything else logged and dropped with administrative capabilities accessible only via VPN over a private secure network.
-
03-01-2018, 11:49 AM #4Disabled
- Join Date
- Apr 2016
- Posts
- 211
We also had faced this attack and the first thing to look at is your bandwidth port, if it streches upto full then you're already became the victim.
We simply made memcache to listen to private ip and issue got fixed.
-
03-01-2018, 01:05 PM #5Web Hosting Master
- Join Date
- Feb 2012
- Location
- Dallas, Texas
- Posts
- 807
It doesn't sound like you were the victim, but rather part of the attack.
These attacks work by spoofing a victim IP to a bunch of public Memcache servers, since your memcache server sounds like it was open to the internet, you were likely being used as a "zombie" in attacks on others.
I say this because, if you were the target of the attack, you wouldn't have any success simply moving your memcache service to a private address.Swiftnode.net − Performance VPS, Dedicated Servers & Game Servers
12 Global Locations − North America, Europe, Japan, India, and Australia
Always-On DDoS Mitigation (UDP & TCP) − Optimized Routing − 24/7 Support
-
03-01-2018, 08:04 PM #6Web Hosting Master
- Join Date
- Apr 2000
- Location
- Brisbane, Australia
- Posts
- 2,602
Github hit with this at 1.35Tbps sized attack https://githubengineering.com/ddos-incident-report/
: CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
: Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
: Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack
-
03-02-2018, 09:10 PM #7Newbie
- Join Date
- Jan 2018
- Posts
- 25
-
07-20-2018, 05:45 AM #8Disabled
- Join Date
- Apr 2016
- Posts
- 211
Similar Threads
-
How can I prevent outgoing ddos attacks from VPS
By hostlittle in forum VPS HostingReplies: 6Last Post: 02-18-2015, 10:39 PM -
DDoS attacks from port 1900 origin
By alexnuke in forum Dedicated ServerReplies: 5Last Post: 11-30-2014, 02:03 PM -
Protection from all types of DDoS attacks. Free mitigation up to 10 Gb/s (4 Mpps).
By incloudibly in forum Other Hosting OffersReplies: 0Last Post: 02-14-2013, 04:54 AM -
Professional protection from all types of DDoS attacks. Free protection up to 10 Gbs.
By incloudibly in forum Other Hosting OffersReplies: 0Last Post: 01-16-2013, 09:17 PM