[outages] Widespread outages: memcached amplification

John jw at nuclearfallout.net
Fri Mar 2 15:01:24 EST 2018 

We started seeing big memcached attacks on Friday 2/23 and sending out 
tailored abuse emails directly to reflectors late Saturday night (2/24). 
For us, attack sizes peaked on Sunday/Monday, and the last couple of 
days have involved much smaller attacks. Today's memcached attacks have 
been the smallest of all.

Their shrinking size is likely for a number of reasons:

- Hosts and transit providers increasingly filtering or limiting UDP 
11211 internally and at their edges
- Admins reading forwarded abuse notifications and fixing their daemons 
(we recorded only about 1600 reflectors used for the biggest attacks, 
and many were sending a full Gbps of traffic, so individual admin 
actions can have a big impact)
- More attackers learning of the vector and launching their own attacks, 
causing each remaining reflector to split its traffic between more 
targets at once

Attackers will be constantly scanning the IPv4 space looking for new 
high-powered reflectors, but they were using the best ones they could 
find at the beginning, and any newly-launched instances will be carved 
up quickly.

The nature of these reasons mean that I'm less pessimistic than others 
about the attack sizes increasing further. But, the sheer number of 
attacks, and number of targets involved, will definitely increase.

If you're someone directly seeing attacks, please consider contacting 
the top talkers sending you attack traffic! I have been surprised at the 
number of admins who have gotten back to me this week and expressed that 
ours was the only notification they have received.

-John

On 3/2/2018 8:56 AM, Brandon Gould via Outages wrote:
>
> Possibly related to all the outages reports this morning, I’m seeing 
> packetloss and outages at 3 top-tier hosting facilities run by 3 
> separate companies; 2 on the eastern coast, 1 on the west.
>
> All 3 are blaming it on memcached amplification mitigation.
>
> Buckle up, boys! (and girls)
>
>
>
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20180302/56913fc2/attachment.htm>

More information about the Outages mailing list