[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Are you insane. ISPs should never use RFC 1918 addresses for stuff that talks to their customers.  They have no way of knowing which addresses the customers are using.

Traffic from RFC 1918 addresses should be dropped by any sane border router which all routers connecting to a ISP are. 

Mark Andrews

> On 2 Mar 2018, at 22:49, Bjørn Mork <bjorn at mork.no> wrote:
> Owen DeLong <owen at delong.com> writes:
>> I donâ??t agree that making RFC-1918 limitations a default in any daemon makes any
>> sense whatsoever.
> +1
> One of the more annoying anti-features I know of in this regard is the
> dnsmasq rebind "protection".  It claims to protect web browsers on the
> LAN against DNS rebind attacks.  But the implementation does not
> consider which adresses are used on the LAN at all.  It simply blocks
> any A record pointing to an RFC1918 address, making a few bogus
> assumptions:
> - IPv4 LAN addresses are selected from RFC1918
> - RFC1918 addresses are never used on the WAN side of a CPE
> - Noone use IPv6 on their LAN
> It's hard to know how many users have been bitten by the first
> one. You'd have to depend on this rebind "protection" in the first
> place, and that would be.... stupid.
> But the second assumption regularily bites end users when their ISP
> provides some ISP internal service using RFC1918 addresses.  Which of course
> is fine.
> The anti-feature has been enabled by default in OpenWrt for a long time,
> ref https://wiki.openwrt.org/doc/uci/dhcp#all_options , which means that
> there is a large user base having this enabled without knowing.
>> First, there are plenty of LANs out there that donâ??t use RFC-1918.
>> Second, RFC-1918 doesnâ??t apply to IPv6 at all,
> Could you try to explain that to the OpenWrt guys?  Thanks
> Bjørn