One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 500435 |
| Date de publication | 2018-03-08 06:57:20 (vue: 2018-03-08 06:57:20) |
| Titre | Some notes on memcached DDoS |
| Texte | I thought I'd write up some notes on the memcached DDoS. Specifically, I describe how many I found scanning the Internet with masscan, and how to use masscan as a killswitch to neuter the worst of the attacks.Test your serversI added code to my port scanner for this, then scanned the Internet:masscan 0.0.0.0/0 -pU:11211 --banners | grep memcachedThis example scans the entire Internet (/0). Replaced 0.0.0.0/0 with your address range (or ranges).This produces output that looks like this:Banner on port 11211/udp on 172.246.132.226: [memcached] uptime=230130 time=1520485357 version=1.4.13Banner on port 11211/udp on 89.110.149.218: [memcached] uptime=3935192 time=1520485363 version=1.4.17Banner on port 11211/udp on 172.246.132.226: [memcached] uptime=230130 time=1520485357 version=1.4.13Banner on port 11211/udp on 84.200.45.2: [memcached] uptime=399858 time=1520485362 version=1.4.20Banner on port 11211/udp on 5.1.66.2: [memcached] uptime=29429482 time=1520485363 version=1.4.20Banner on port 11211/udp on 103.248.253.112: [memcached] uptime=2879363 time=1520485366 version=1.2.6Banner on port 11211/udp on 193.240.236.171: [memcached] uptime=42083736 time=1520485365 version=1.4.13The "banners" check filters out those with valid memcached responses, so you don't get other stuff that isn't memcached. To filter this output further, use the 'cut' to grab just column 6:... | cut -d ' ' -f 6 | cut -d: -f1You often get multiple responses to just one query, so you'll want to sort/uniq the list:... | sort | uniqMy results from an Internet wide scanI got 15181 results (or roughly 15,000).People are using Shodan to find a list of memcached servers. They might be getting a lot results back that response to TCP instead of UDP. Only UDP can be used for the attack.Masscan as exploit scriptBTW, you can not only use masscan to find amplifiers, you can also use it to carry out the DDoS. Simply import the list of amplifier IP addresses, then spoof the source address as that of the target. All the responses will go back to the source address.masscan -iL amplifiers.txt -pU:11211 --spoof-ip --rate 100000I point this out to show how there's no magic in exploiting this. Numerous exploit scripts have been released, because it's so easy.Why memcached servers are vulnerableLike many servers, memcached listens to local IP address 127.0.0.1 for local administration. By listening only on the local IP address, remote people cannot talk to the server. |
| Envoyé | Oui |
| Condensat | 0/0 000 100 100000i 103 110 11211 11211/udp 11211capture 11221let 112: 127 132 13banner 13the 149 15181 171: 172 17banner 193 200 20banner 218: 226: 236 240 246 248 253 6banner :tshark about across add added address addresses administration adversely affecting against akamai all already also amplification amplifier amplifiers are around attack attack:https://blogs attackers attacks average back banners barrier because been blast buggy but byte bytes cache can cannot capture carry cause causes causing check chunks code column com/2018/02/memcached com/2018/03/memcached com/2018/03/prevent com/dormando/status/968579781729009664https://thehackernews com/robertdavidgraham/masscan/tree/master/datanow comes command commands common completely connected control course craft ctrl cut data ddos describe details directly divided documented doing don done drop easiest easily easy effect eip either end entire even ever exact example exercise exploit exploiting external extract f1you fairly file filter filters find first flooding flush following foo:echo forget found from fueled full further generate get getting github:https://github going good got grab grep happening harder has have here hit how however html htmlhttps://blogs htmlhttps://twitter import indeed instead intend interfaces internet internet:masscan isn issue it: it:masscan just keeps kill killswitch kilobytes large largest leads leave like line linux list list: listen listening local looks lot lots magic many masscan masscan as masscan can math may meaning megabits/second megabytes memcached memcached ddos memcached listens memcached servers memcachedthis might minor more multiple network neuter neutering nmap not notes noteshere numerous often one only other out output packet packets payload payloads pcap pcapreportedly people per pis point port powerful pretty process produces protocol pu:11211 pu:112211 put query range ranges raspberry rate read reader reading reflection released remote replaced response responses results retrieval retrieve roughly run save scani scanned scanner scanning scans scriptbtw scripts security see send server servers serversi set several shodan show shutdown simply since single skip small sniffer some something sort sort/uniq source source port specifically spoof src stack statistics stats step stop straightforward stuff such switch talk target tbps tcp tcpdump terabit/second test tfields that them then theory there this:banner those thought thus time=1520485357 time=1520485362 time=1520485363 time=1520485365 time=1520485366 trying tshark two txt txt file txtnow udp uniq uniqmy uptime=230130 uptime=2879363 uptime=29429482 uptime=3935192 uptime=399858 uptime=42083736 use use used useful uses using valid version=1 vms vulnerable vulnerablelike want way ways where who why wide will wireshark work worksthe worst would write x00 x00flush x01 you your |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.