<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
We started seeing big memcached attacks on Friday 2/23 and sending
out tailored abuse emails directly to reflectors late Saturday night
(2/24). For us, attack sizes peaked on Sunday/Monday, and the last
couple of days have involved much smaller attacks. Today's memcached
attacks have been the smallest of all.<br>
<br>
Their shrinking size is likely for a number of reasons:<br>
<br>
- Hosts and transit providers increasingly filtering or limiting UDP
11211 internally and at their edges<br>
- Admins reading forwarded abuse notifications and fixing their
daemons (we recorded only about 1600 reflectors used for the biggest
attacks, and many were sending a full Gbps of traffic, so individual
admin actions can have a big impact)<br>
- More attackers learning of the vector and launching their own
attacks, causing each remaining reflector to split its traffic
between more targets at once<br>
<br>
Attackers will be constantly scanning the IPv4 space looking for new
high-powered reflectors, but they were using the best ones they
could find at the beginning, and any newly-launched instances will
be carved up quickly.<br>
<br>
The nature of these reasons mean that I'm less pessimistic than
others about the attack sizes increasing further. But, the sheer
number of attacks, and number of targets involved, will definitely
increase.<br>
<br>
If you're someone directly seeing attacks, please consider
contacting the top talkers sending you attack traffic! I have been
surprised at the number of admins who have gotten back to me this
week and expressed that ours was the only notification they have
received. <br>
<br>
-John<br>
<br>
<div class="moz-cite-prefix">On 3/2/2018 8:56 AM, Brandon Gould via
Outages wrote:<br>
</div>
<blockquote type="cite"
cite="mid:YQBPR0101MB0916F84B62738F14AFBEEA41D8C50@YQBPR0101MB0916.CANPRD01.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Possibly related to all the outages reports
this morning, I’m seeing packetloss and outages at 3 top-tier
hosting facilities run by 3 separate companies; 2 on the
eastern coast, 1 on the west.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All 3 are blaming it on memcached
amplification mitigation.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Buckle up, boys! (and girls)<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Outages mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Outages@outages.org">Outages@outages.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/outages">https://puck.nether.net/mailman/listinfo/outages</a>
</pre>
</blockquote>
<br>
</body>
</html>