[Bro] bro policy to identify memcached attacks/participation

Scott Campbell scottc at es.net
Fri Mar 2 13:37:10 PST 2018

We have put together some sample bro policy that might be useful in

1) memcached instances with publicly available TCP ports.
2) UDP connection attempts to 11211/udp.
3) excessive outbound traffic from an IP that has previously had an inbound
memcached 'get' request from outside the local address space.

This code is a little green, but can be used to keep an eye on your local
network as this problem evolves.

Repo can be found here:


If you have any questions please let me know and I will do what I can to
help.  As well, any changes or improvements will be gladly integrated into
the code as well.

Feel free to share with anyone as this is public information.

Many thanks!

Scott Campbell
ESnet Security Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180302/aea81939/attachment.html 

More information about the Bro mailing list