back to article Popular cache utility exploited for massive reflected DoS attacks

Attackers have discovered a new amplified denial-of-service attack vector, and have launched attacks reaching hundreds of gigabits per second in Asia, North America and Europe. Former Internet Systems Consortium CEO and now Akamai principal architect Barry Raveendran Greene has detailed the reflected DOS attack on his blog and …

  1. Anonymous Coward
    Anonymous Coward

    Who puts insecure services on the internet without firewall blocking?!

    No doubt it's all those 'agile devops' people who know fuck all about infrastructure and security.

    1. Brian Miller

      Re: Who puts insecure services on the internet without firewall blocking?!

      Too many numpties, too many deadlines.

      When you have a combination of incompetent managers and developers, these things happen all the time. From IOT to big servers, and sometimes it happens with the security dev screaming bloody murder. "Nah, nobody is going to do that..."

    2. Anonymous Coward
      Anonymous Coward

      Re: Who puts insecure services on the internet without firewall blocking?!

      Ah yes - because in the days of traditional ops we had solid infrastructure with no security holes - like BIND and Sendmail.

      This isn't a generationally specific issue - just something on which the vast majority of the IT world has always been shite at.

  2. Anonymous Coward
    Anonymous Coward

    not trying to do myself out of a job but..............

    turn on iptables or whatever on the server and only allow access from IP's you want, block everything else.

    a firewall is not the only solution to IT security. Network security is really a stop gap, anyone serious about security would build it in to the app, yes i understand memcached is designed to be run in trusted environments but doesn't stop the security being implemented as close to the app as possible. .

    1. teknopaul Bronze badge

      Re: not trying to do myself out of a job but..............

      Not sure I agree here, if some Muppet puts mysql direct to t'internet you cant blame mysql for not supporting that setup by default.

      Memcached is pretty well known.

      Some projects do try to lock down by default, its work, its an annoyance for initially testing. You cant blame projects for not doing it.

      Readme saying "dont put this server on the Internet" is an acceptable approach, imho.

    2. Anonymous Coward
      Anonymous Coward

      Re: not trying to do myself out of a job but..............

      Or mod_security. But that would mean disrupting those well laid plans to replace apache with nginx, and require the retention of at least a few old timers with the skills to maintain the configs. Hell, just skip a few pages in the playbook and outsource all the external stuff to the CMS provider du jour like Sitecore. Need actual apps on the outside? Just give Sales a bunch of bit.ly links to a half dozen disparate SaaS providers. They can figure out how to manage all those userids and passwords themselves because there's no one left who understands the core identity system. The IT apocalypse is upon them, and they'll never know until it's too late. Gotta go now: time to open the bait shop in St. Augustine.

    3. Daggerchild Silver badge

      Re: not trying to do myself out of a job but..............

      *Forges UDP source IP*

      Firewalls too often only protect the front, not the sides. If you have a DNS server that won't answer UDP queries except from your local LAN, a forged local source IP will still allow me to make you connect to my malicious DNS server and load up with evil data.

      The best way to protect something that shouldn't be on the Internet, really is to not put it on the Internet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019