We have put together some sample bro policy that might be useful in identifying:
- memcached instances with publicly available TCP ports.
- UDP connection attempts to 11211/udp.
- excessive outbound traffic from an IP that has previously had an inbound memcached ‘get’ request from outside the local address space.
This code is a little green, but can be used to keep an eye on your local network as this problem evolves.
Repo can be found here:
If you have any questions please let me know and I will do what I can to help. As well, any changes or improvements will be gladly integrated into the code as well.
Feel free to share with anyone as this is public information.
Neat. I kind of have a generic version of this that detects any udp reflection attack, at least the ones we have seen.
I've been meaning to make a package for it, I just want to generate some tests first.
From research I've done, other than a few endpoints like VPN boxes that can be whitelisted and bittorrent
uTP users, any large inbound or outbound udp flows are DoS attacks, especially when orig_h is remote.
after activating this script i am getting below warning and bro not starting
warning in /opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro, lines 41-42: multiple initializations for index (220.127.116.11/27)
warning in /opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro, lines 57-58: multiple initializations for index (18.104.22.168/26)
warning in /opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro, lines 70-71: multiple initializations for index (22.214.171.124/24)