[Bro] bro policy to identify memcached attacks/participation

Azoff, Justin S jazoff at illinois.edu
Fri Mar 2 14:34:50 PST 2018

Neat.  I kind of have a generic version of this that detects any udp reflection attack, at least the ones we have seen.

I've been meaning to make a package for it, I just want to generate some tests first.

>From research I've done, other than a few endpoints like VPN boxes that can be whitelisted and bittorrent
uTP users, any large inbound or outbound udp flows are DoS attacks, especially when orig_h is remote.

Justin Azoff

> On Mar 2, 2018, at 4:37 PM, Scott Campbell <scottc at es.net> wrote:
> We have put together some sample bro policy that might be useful in identifying:
> 1) memcached instances with publicly available TCP ports.
> 2) UDP connection attempts to 11211/udp.
> 3) excessive outbound traffic from an IP that has previously had an inbound memcached 'get' request from outside the local address space.
> This code is a little green, but can be used to keep an eye on your local network as this problem evolves.
> Repo can be found here:
> https://github.com/set-element/bro_memcached_detect
> If you have any questions please let me know and I will do what I can to help.  As well, any changes or improvements will be gladly integrated into the code as well.
> Feel free to share with anyone as this is public information.
> Many thanks!
> scott
> -----
> Scott Campbell
> ESnet Security Analyst
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list