We have put together some sample bro policy that might be useful in identifying:
- memcached instances with publicly available TCP ports.
- UDP connection attempts to 11211/udp.
- excessive outbound traffic from an IP that has previously had an inbound memcached ‘get’ request from outside the local address space.
This code is a little green, but can be used to keep an eye on your local network as this problem evolves.
Repo can be found here:
https://github.com/set-element/bro_memcached_detect
If you have any questions please let me know and I will do what I can to help. As well, any changes or improvements will be gladly integrated into the code as well.
Feel free to share with anyone as this is public information.
Many thanks!
scott
Neat. I kind of have a generic version of this that detects any udp reflection attack, at least the ones we have seen.
I've been meaning to make a package for it, I just want to generate some tests first.
From research I've done, other than a few endpoints like VPN boxes that can be whitelisted and bittorrent
uTP users, any large inbound or outbound udp flows are DoS attacks, especially when orig_h is remote.
after activating this script i am getting below warning and bro not starting
warning in /opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro, lines 41-42: multiple initializations for index (207.17.136.32/27)
warning in /opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro, lines 57-58: multiple initializations for index (207.17.136.64/26)
warning in /opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro, lines 70-71: multiple initializations for index (207.17.137.0/24)