[Bro] bro policy to identify memcached attacks/participation
Azoff, Justin S
jazoff at illinois.edu
Fri Mar 2 14:34:50 PST 2018
Neat. I kind of have a generic version of this that detects any udp reflection attack, at least the ones we have seen.
I've been meaning to make a package for it, I just want to generate some tests first.
>From research I've done, other than a few endpoints like VPN boxes that can be whitelisted and bittorrent
uTP users, any large inbound or outbound udp flows are DoS attacks, especially when orig_h is remote.
> On Mar 2, 2018, at 4:37 PM, Scott Campbell <scottc at es.net> wrote:
> We have put together some sample bro policy that might be useful in identifying:
> 1) memcached instances with publicly available TCP ports.
> 2) UDP connection attempts to 11211/udp.
> 3) excessive outbound traffic from an IP that has previously had an inbound memcached 'get' request from outside the local address space.
> This code is a little green, but can be used to keep an eye on your local network as this problem evolves.
> Repo can be found here:
> If you have any questions please let me know and I will do what I can to help. As well, any changes or improvements will be gladly integrated into the code as well.
> Feel free to share with anyone as this is public information.
> Many thanks!
> Scott Campbell
> ESnet Security Analyst
> Bro mailing list
> bro at bro-ids.org
More information about the Bro