[outages] Widespread outages: memcached amplification
John
jw at nuclearfallout.net
Fri Mar 2 15:01:24 EST 2018
We started seeing big memcached attacks on Friday 2/23 and sending out
tailored abuse emails directly to reflectors late Saturday night (2/24).
For us, attack sizes peaked on Sunday/Monday, and the last couple of
days have involved much smaller attacks. Today's memcached attacks have
been the smallest of all.
Their shrinking size is likely for a number of reasons:
- Hosts and transit providers increasingly filtering or limiting UDP
11211 internally and at their edges
- Admins reading forwarded abuse notifications and fixing their daemons
(we recorded only about 1600 reflectors used for the biggest attacks,
and many were sending a full Gbps of traffic, so individual admin
actions can have a big impact)
- More attackers learning of the vector and launching their own attacks,
causing each remaining reflector to split its traffic between more
targets at once
Attackers will be constantly scanning the IPv4 space looking for new
high-powered reflectors, but they were using the best ones they could
find at the beginning, and any newly-launched instances will be carved
up quickly.
The nature of these reasons mean that I'm less pessimistic than others
about the attack sizes increasing further. But, the sheer number of
attacks, and number of targets involved, will definitely increase.
If you're someone directly seeing attacks, please consider contacting
the top talkers sending you attack traffic! I have been surprised at the
number of admins who have gotten back to me this week and expressed that
ours was the only notification they have received.
-John
On 3/2/2018 8:56 AM, Brandon Gould via Outages wrote:
>
> Possibly related to all the outages reports this morning, I’m seeing
> packetloss and outages at 3 top-tier hosting facilities run by 3
> separate companies; 2 on the eastern coast, 1 on the west.
>
> All 3 are blaming it on memcached amplification mitigation.
>
> Buckle up, boys! (and girls)
>
>
>
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20180302/56913fc2/attachment.htm>
More information about the Outages
mailing list