[BlueOnyx:21778] Memcached security issue

Richard Morgan :: Morgan Web richard at morgan-web.co.uk
Mon Feb 26 05:50:43 -05 2018 

Hi, hope this issue can be resolved because it was brought to our attention
by the data centre via an abuse email.

 

The message below the line indicates Memcached on our server 87.246.nnn.nnn
was used to attack other servers via UDP port 11211. I've looked at how to
secure Memcached and for now have put the following firewall commands in
place:

 

iptables -I OUTPUT -p udp  --dport 11211 -j DROP

iptables-save

 

First question, is this enough/correct to block outgoing UDP connections on
port 11211?

 

Secondly, has anyone experienced this and is a server-wide fix or extra
limitations Memcached available? What is Memcached used for on BX and it is
it possible to remove it?

 

Thanks in advanced for your comments.

 

Richard

 

Server:

Build 20140909 for a 5208R in en_US

Linux s2.diamond-discovery.net 2.6.32-642.15.1.el6.x86_64 #1 SMP Thu Feb 23
11:19:57 CST 2017 x86_64 x86_64 x86_64 GNU/Linux

Memcached version 1.4.4

--------------------------------------------------------------

 

Exploitable memcached server used for an attack: 87.246.nnn.nnn

 

A public-facing device on your network, running on IP address
87.246.nnn.nnn, appears to operate an unsecured memcached instance
responding on port 11211 that participated in a large-scale attack against a
customer of ours, generating UDP responses to spoofed requests that claimed
to be from the attack target.

 

Please consider reconfiguring this server in one or more of these ways:

 

1. Adding a firewall rule to block all access to this host's UDP port 11211
at your network edge.

2. Adding firewall rules to allow connections to this service (on UDP port
11211) from authorized endpoints but block connections from all other hosts.

3. Adjusting the memcached instance to only listen on the local interface
(localhost).

 

Example responses from the host during this attack are given below.

Date/timestamps (at the very left) are UTC.

 

2018-02-25 18:19:26.948340 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
proto UDP (17), length 1428)

  87.246.nnn.nnn.11211 > 208.146.44.x.58695: UDP, length 1400

      0x0000:  4500 0594 0000 4000 3811 763d 57f6 7292  E..... at .8.v=W.r.

      0x0010:  d092 2c01 2bcb e547 0580 9696 0001 0135  ..,.+..G.......5

      0x0020:  021c 0000 860a 4e58 b0f7 bd10 77cd c458  ......NX....w..X

      0x0030:  c184 e95c f7e7 dbd0 01b9 9626 7728 8097  ...\.......&w(..

      0x0040:  ccd1 1239 5f27 9dde 12a1 eb1d 4612 8a89  ...9_'......F...

      0x0050:  0d5e                                     .^

2018-02-25 18:19:26.971293 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
proto UDP (17), length 1428)

  87.246.nnn.nnn.11211 > 208.146.44.x.32480: UDP, length 1400

      0x0000:  4500 0594 0000 4000 3811 763d 57f6 7292  E..... at .8.v=W.r.

      0x0010:  d092 2c01 2bcb 7ee0 0580 73a5 0001 001e  ..,.+.~...s.....

      0x0020:  021c 0000 496d 1b0a e6c2 f805 0866 3656  ....Im.......f6V

      0x0030:  a750 d3c1 3770 6eca 078f fdba 1ce3 ffdc  .P..7pn.........

      0x0040:  ec05 f2c5 5da8 d6e6 d826 eb05 c673 3d3b  ....]....&...s=;

      0x0050:  a139                                     .9

2018-02-25 18:19:26.975069 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
proto UDP (17), length 1428)

  87.246.nnn.nnn.11211 > 208.146.44.x.32480: UDP, length 1400

      0x0000:  4500 0594 0000 4000 3811 763d 57f6 7292  E..... at .8.v=W.r.

      0x0010:  d092 2c01 2bcb 7ee0 0580 1b72 0001 0127  ..,.+.~....r...'

      0x0020:  021c 0000 f7f0 cb42 53c8 cf44 d06b bdb3  .......BS..D.k..

      0x0030:  f4be 72c9 aa31 5222 3f89 df2c 12cc 7786  ..r..1R"?..,..w.

      0x0040:  30be 6ae7 69e5 08ed 00e7 00b0 870f 72da  0.j.i.........r.

      0x0050:  41cb                                     A.

2018-02-25 18:19:26.978534 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
proto UDP (17), length 1428)

  87.246.nnn.nnn.11211 > 208.146.44.x.32480: UDP, length 1400

      0x0000:  4500 0594 0000 4000 3811 763d 57f6 7292  E..... at .8.v=W.r.

      0x0010:  d092 2c01 2bcb 7ee0 0580 76b9 0001 01f3  ..,.+.~...v.....

      0x0020:  021c 0000 0635 0f9d 5886 4b66 e557 2645  .....5..X.Kf.W&E

      0x0030:  60c3 42e5 8d93 579d a5ee 363e 26c2 2aa6  `.B...W...6>&.*.

      0x0040:  cc12 52a1 6ea2 0670 70da 2d6b 47fa b726  ..R.n..pp.-kG..&

      0x0050:  d7b7                                     ..

2018-02-25 18:19:27.051352 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF],
proto UDP (17), length 1428)

  87.246.nnn.nnn.11211 > 208.146.44.x.45782: UDP, length 1400

      0x0000:  4500 0594 0000 4000 3811 763d 57f6 7292  E..... at .8.v=W.r.

      0x0010:  d092 2c01 2bcb b2d6 0580 b456 0001 005f  ..,.+......V..._

      0x0020:  021c 0000 77dc 0366 6d9c 7120 478b cc48  ....w..fm.q.G..H

      0x0030:  34cd 3665 2a74 7104 1d91 7693 bd76 209c  4.6e*tq...v..v..

      0x0040:  fd0e 74ac ac13 50b0 4eae fb22 0756 ed39  ..t...P.N..".V.9

      0x0050:  4696                                     F.

 

(The final octet of our customer's IP address is masked in the above output
because some automatic parsers become confused when multiple IP addresses
are included. The value of that octet is "1".)

 

-John

President

Nuclearfallout, Enterprises, Inc. (NFOservers.com)

 

(We're sending out so many of these notices, and seeing so many
auto-responses, that we can't go through this email inbox effectively. If
you have follow-up questions, please contact us at noc at nfoe.net.)

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20180226/97f018aa/attachment.html>

More information about the Blueonyx mailing list