Popular cache utility exploited for massive reflected DoS attacks Attackers have discovered a new amplified denial-of-service attack vector, and have launched attacks reaching hundreds of gigabits per second in Asia, North America and Europe. Former Internet Systems Consortium CEO and now Akamai principal architect Barry Raveendran Greene has detailed the reflected DOS attack on his blog and …
Too many numpties, too many deadlines.
When you have a combination of incompetent managers and developers, these things happen all the time. From IOT to big servers, and sometimes it happens with the security dev screaming bloody murder. "Nah, nobody is going to do that..."
Ah yes - because in the days of traditional ops we had solid infrastructure with no security holes - like BIND and Sendmail.
This isn't a generationally specific issue - just something on which the vast majority of the IT world has always been shite at.
turn on iptables or whatever on the server and only allow access from IP's you want, block everything else.
a firewall is not the only solution to IT security. Network security is really a stop gap, anyone serious about security would build it in to the app, yes i understand memcached is designed to be run in trusted environments but doesn't stop the security being implemented as close to the app as possible. .
Not sure I agree here, if some Muppet puts mysql direct to t'internet you cant blame mysql for not supporting that setup by default.
Memcached is pretty well known.
Some projects do try to lock down by default, its work, its an annoyance for initially testing. You cant blame projects for not doing it.
Readme saying "dont put this server on the Internet" is an acceptable approach, imho.
Or mod_security. But that would mean disrupting those well laid plans to replace apache with nginx, and require the retention of at least a few old timers with the skills to maintain the configs. Hell, just skip a few pages in the playbook and outsource all the external stuff to the CMS provider du jour like Sitecore. Need actual apps on the outside? Just give Sales a bunch of bit.ly links to a half dozen disparate SaaS providers. They can figure out how to manage all those userids and passwords themselves because there's no one left who understands the core identity system. The IT apocalypse is upon them, and they'll never know until it's too late. Gotta go now: time to open the bait shop in St. Augustine.
*Forges UDP source IP*
Firewalls too often only protect the front, not the sides. If you have a DNS server that won't answer UDP queries except from your local LAN, a forged local source IP will still allow me to make you connect to my malicious DNS server and load up with evil data.
The best way to protect something that shouldn't be on the Internet, really is to not put it on the Internet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
