Memcrashed - Major amplification attacks from UDP port 11211

deluxe

@Crandolph said:
Remember when I called Hetzner trash? Yeah, it still is.

Still butt-hurt after all that time? Epic rekt.

M66B

@Marionette said:

@M66B said:

@Marionette said:
And this is why you need to setup a firewall on every box because of shitty defaults from prepackaged software. SMTP, HTTP, HTTPS, SSH. Everything else should be closed by default.

I don't agree because it is just a workaround for lazy sysadmins who should really check what is listening on a server and why that is and take appropriate action if needed. In other words, sysadmins who know what they are doing. A firewall will not help because the same lazy 'sysadmin' might configure it wrong, not solving anything at all.

IMHO a firewall is only useful if you really need to open a port (for example MySQL and let's say Memcached, lol) and need (not want) to limit is to a few IP addresses / an IP range.

Another person who believes he never makes mistakes and assumes any mistake is caused by incompetence.

Oddly enough, in the real world, I never meet the people who never mistakes. Just on the internet.

You are arguing that people are not perfect. They are not and I am neither, but that is not the point. Not checking for open ports which can be used for DDOS is a preventable mistake and is therefore incompetence.

If you or your company want to add a firewall to cover up the mistakes of your sysadmins, that is fine and even justifiable, but it doesn't make the sysadmins competent.

FHR

@M66B said:

@Marionette said:

@M66B said:

@Marionette said:

If you or your company want to add a firewall to cover up the mistakes of your sysadmins, that is fine and even justifiable, but it doesn't make the sysadmins competent.

What the fuck. How is firewall a "cover up"? It's a first line of defense against any kind of attack. What if your server gets infected by malware? Without a firewall, it could listen on any port it wanted and become a botnet controller, without anyone noticing.

LosPollosHermanos

@eva2000 said:

@Aidan said:
I thought it was standard practice to only allow specific IPs access to memcached, either localhost or specific machines in your array - turns out I was wrong.

standard practice would be to have a firewall in place in the first place !

Github was on receiving end at 1.35Tbps sized DDOS attack https://githubengineering.com/ddos-incident-report/

I think it should probably be done on the application itself. You can also do it on the firewall but that's probably not necessary if you do it on the application.

Aidan

@LosPollosHermanos said:

@eva2000 said:

@Aidan said:
I thought it was standard practice to only allow specific IPs access to memcached, either localhost or specific machines in your array - turns out I was wrong.

standard practice would be to have a firewall in place in the first place !

Github was on receiving end at 1.35Tbps sized DDOS attack https://githubengineering.com/ddos-incident-report/

Why do it on the firewall when it should be done on the application itself? Or both.

I believe he meant that no matter how incompetent someone is, they'll at least have a firewall set up - doing it on both memcached & your firewall is obviously the best and would (should?) be the norm.

LosPollosHermanos

@Aidan said:

@LosPollosHermanos said:

@eva2000 said:

@Aidan said:
I thought it was standard practice to only allow specific IPs access to memcached, either localhost or specific machines in your array - turns out I was wrong.

standard practice would be to have a firewall in place in the first place !

Github was on receiving end at 1.35Tbps sized DDOS attack https://githubengineering.com/ddos-incident-report/

Why do it on the firewall when it should be done on the application itself? Or both.

I believe he meant that no matter how incompetent someone is, they'll at least have a firewall set up - doing it on both memcached & your firewall is obviously the best and would (should?) be the norm.

It looks like securing it at the application layer is pretty simple in this case.
https://www.digitalocean.com/community/tutorials/how-to-secure-memcached-by-reducing-exposure

M66B

@FHR said:

@M66B said:

@Marionette said:

@M66B said:

@Marionette said:

If you or your company want to add a firewall to cover up the mistakes of your sysadmins, that is fine and even justifiable, but it doesn't make the sysadmins competent.

What the fuck. How is firewall a "cover up"? It's a first line of defense against any kind of attack. What if your server gets infected by malware? Without a firewall, it could listen on any port it wanted and become a botnet controller, without anyone noticing.

Where did I say here you shouldn't use a firewall? I even said it would be justifiable. The point was and still is that a sysadmin should do more than blindly install software and check stuff. How hard is it to use netstat and to use common sense? What if the installation procedure includes punching a hole in the firewall because the package manager though that was a good idea?

M66B

deleted

eva2000

DDOS attack size record has been broken with Memcrashed at 1.7Tbps DDOS Attack https://www.theregister.co.uk/2018/03/05/worlds_biggest_ddos_attack_record_broken_after_just_five_days/

sibaper

on article he didnt mention who's the target

LosPollosHermanos

LeaseWeb just sent out a notice that they are blocking all UDP 11211 traffic. Hopefully others do the same.