<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi, hope this issue can be resolved because it was brought to our attention by the data centre via an abuse email.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The message below the line indicates Memcached on our server 87.246.nnn.nnn was used to attack other servers via UDP port 11211. I’ve looked at how to secure Memcached and for now have put the following firewall commands in place:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>iptables -I OUTPUT -p udp --dport 11211 -j DROP<o:p></o:p></p><p class=MsoNormal>iptables-save<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>First question, is this enough/correct to block outgoing UDP connections on port 11211?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Secondly, has anyone experienced this and is a server-wide fix or extra limitations Memcached available? What is Memcached used for on BX and it is it possible to remove it?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks in advanced for your comments.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Richard<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Server:<o:p></o:p></p><p class=MsoNormal>Build 20140909 for a 5208R in en_US<o:p></o:p></p><p class=MsoNormal>Linux s2.diamond-discovery.net 2.6.32-642.15.1.el6.x86_64 #1 SMP Thu Feb 23 11:19:57 CST 2017 x86_64 x86_64 x86_64 GNU/Linux<o:p></o:p></p><p class=MsoNormal><span style='font-family:Consolas'>Memcached version 1.4.4<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>--------------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>Exploitable memcached server used for an attack: 87.246.nnn.nnn<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>A public-facing device on your network, running on IP address 87.246.nnn.nnn, appears to operate an unsecured memcached instance responding on port 11211 that participated in a large-scale attack against a customer of ours, generating UDP responses to spoofed requests that claimed to be from the attack target.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>Please consider reconfiguring this server in one or more of these ways:<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>1. Adding a firewall rule to block all access to this host's UDP port 11211 at your network edge.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>2. Adding firewall rules to allow connections to this service (on UDP port 11211) from authorized endpoints but block connections from all other hosts.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>3. Adjusting the memcached instance to only listen on the local interface (localhost).<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>Example responses from the host during this attack are given below.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>Date/timestamps (at the very left) are UTC.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>2018-02-25 18:19:26.948340 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 1428)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 87.246.nnn.nnn.11211 > 208.146.44.x.58695: UDP, length 1400<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0000: 4500 0594 0000 4000 3811 763d 57f6 7292 E.....@.8.v=W.r.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0010: d092 2c01 2bcb e547 0580 9696 0001 0135 ..,.+..G.......5<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0020: 021c 0000 860a 4e58 b0f7 bd10 77cd c458 ......NX....w..X<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0030: c184 e95c f7e7 dbd0 01b9 9626 7728 8097 ...\.......&w(..<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0040: ccd1 1239 5f27 9dde 12a1 eb1d 4612 8a89 ...9_'......F...<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0050: 0d5e .^<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>2018-02-25 18:19:26.971293 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 1428)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 87.246.nnn.nnn.11211 > 208.146.44.x.32480: UDP, length 1400<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0000: 4500 0594 0000 4000 3811 763d 57f6 7292 E.....@.8.v=W.r.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0010: d092 2c01 2bcb 7ee0 0580 73a5 0001 001e ..,.+.~...s.....<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0020: 021c 0000 496d 1b0a e6c2 f805 0866 3656 ....Im.......f6V<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0030: a750 d3c1 3770 6eca 078f fdba 1ce3 ffdc .P..7pn.........<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0040: ec05 f2c5 5da8 d6e6 d826 eb05 c673 3d3b ....]....&...s=;<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0050: a139 .9<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>2018-02-25 18:19:26.975069 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 1428)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 87.246.nnn.nnn.11211 > 208.146.44.x.32480: UDP, length 1400<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0000: 4500 0594 0000 4000 3811 763d 57f6 7292 E.....@.8.v=W.r.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0010: d092 2c01 2bcb 7ee0 0580 1b72 0001 0127 ..,.+.~....r...'<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0020: 021c 0000 f7f0 cb42 53c8 cf44 d06b bdb3 .......BS..D.k..<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0030: f4be 72c9 aa31 5222 3f89 df2c 12cc 7786 ..r..1R"?..,..w.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0040: 30be 6ae7 69e5 08ed 00e7 00b0 870f 72da 0.j.i.........r.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0050: 41cb A.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>2018-02-25 18:19:26.978534 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 1428)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 87.246.nnn.nnn.11211 > 208.146.44.x.32480: UDP, length 1400<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0000: 4500 0594 0000 4000 3811 763d 57f6 7292 E.....@.8.v=W.r.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0010: d092 2c01 2bcb 7ee0 0580 76b9 0001 01f3 ..,.+.~...v.....<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0020: 021c 0000 0635 0f9d 5886 4b66 e557 2645 .....5..X.Kf.W&E<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0030: 60c3 42e5 8d93 579d a5ee 363e 26c2 2aa6 `.B...W...6>&.*.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0040: cc12 52a1 6ea2 0670 70da 2d6b 47fa b726 ..R.n..pp.-kG..&<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0050: d7b7 ..<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>2018-02-25 18:19:27.051352 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 1428)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 87.246.nnn.nnn.11211 > 208.146.44.x.45782: UDP, length 1400<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0000: 4500 0594 0000 4000 3811 763d 57f6 7292 E.....@.8.v=W.r.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0010: d092 2c01 2bcb b2d6 0580 b456 0001 005f ..,.+......V..._<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0020: 021c 0000 77dc 0366 6d9c 7120 478b cc48 ....w..fm.q.G..H<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0030: 34cd 3665 2a74 7104 1d91 7693 bd76 209c 4.6e*tq...v..v..<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0040: fd0e 74ac ac13 50b0 4eae fb22 0756 ed39 ..t...P.N..".V.9<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'> 0x0050: 4696 F.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "1".)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>-John<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>President<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>Nuclearfallout, Enterprises, Inc. (NFOservers.com)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'>(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>