This is just stupid. OVH is one of the largest server providers in the world - of course they will be at the top of that list. What exactly should they do, according to you? Why should people de-peer them? Regards, Filip Hruska
On 28 Feb 2018 at 1:13 am, <Dan Hollis> wrote:
OVH does not suprise me in the least. Maybe this is finally what it will take to get people to de-peer them. -Dan On Tue, 27 Feb 2018, Ca By wrote: > Please do take a look at the cloudflare blog specifically as they name and > shame OVH and Digital Ocean for being the primary sources of mega crap > traffic > > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port... > > Also, policer all UDP all the time... UDP is unsafe at any speed. > > > On Tue, Feb 27, 2018 at 12:28 PM Barry Greene wrote: > >> Hello Fellow NANOGer, >> >> If you have not already seen it, experiences it, or read about it, working >> to head off another reflection DOS vector. This time it is memcached on >> port 11211 UDP & TCP. There are active exploits using these ports. >> Reflection attacks and the memcached is not new. We know how reflection >> attacks work (send a spoofed packet to a device and have it reflected back >> (yes please deploy source address validation and BCP 38). >> >> Operators are asked to review their networks and consider updating their >> Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP >> port 11211 for all ingress and egress traffic. If you do not know about >> iACLs or Explorable port filters, you can use this white paper details and >> examples from peers on Exploitable Port Filters: >> http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-... >> >> Enterprises are also asked to update their iACLs, Exploitable Port >> Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress >> and egress traffic. >> >> Deploying these filters will help protect your network, your organization, >> your customers, and the Internet. >> >> Ping me 1:1 if you have questions. >> >> Sincerely, >> >> -- >> Barry Raveendran Greene >> Security Geek helping with OPSEC Trust >> Mobile: +1 408 218 4669 >> E-mail: bgreene@senki.org >> >> ---------------------------- >> Resources on memcached Exploit (to evaluate your risk): >> >> More information about this attack vector can be found at the following: >> >> • JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009) >> http://www.jpcert.or.jp/at/2018/at180009.html >> • Qrator Labs: The memcached amplification attacks reaching 500 >> Gbps >> >> https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-5... >> • Arbor Networks: memcached Reflection/Amplification Description >> and DDoS Attack Mitigation Recommendations >> >> https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-... >> • Cloudflare: Memcrashed – Major amplification attacks from UDP >> port 11211 >> >> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port... >> • Link11: New High-Volume Vector: Memcached Reflection >> Amplification Attacks >> >> https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-a... >> • Blackhat Talk: The New Page of Injections Book: Memcached >> Injections by Ivan Novikov >> >> https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-... >> • Memcache Exploit >> http://niiconsulting.com/checkmate/2013/05/memcache-exploit/ >> >