Thursday, March 1, 2018

Dampening memcached UDP/11211 DDoS attacks

In recent days a severe issue with open memcached instances has been uncovered - internet & hosting providers are asked to take steps to dampen the effects of UDP/11211 attacks.

NTT has deployed rate limiters on all external facing interfaces on the GIN backbone - for UDP/11211 traffic - to dampen the negative impact of open memcached instances on peers and customers.

The toxic combination of 'one spoofed packet can yield multiple reponse packets' and 'one small packet can yield a very big response' makes the memcached UDP protocol a fine example of double trouble with potential for severe operational impact.

An example on how to configure IOS XR to dampen the attack effects can be found here. It would be good if we share examples for more platforms with each other.



No comments:

Post a Comment