Infosec

Source: blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Want to scan your network? Get the memcached nmap script.

https://nmap.org/nsedoc/scripts/memcached-info.html

Nmap the network for open memcached ports (example, replace with your range).

sudo nmap 127.0.0.1/18 -p 11211 -sU -sS --script memcached-info >> memcrashed.log

Sort nmap log and find IPs that are actually vuln.

cat memcrashed.log | grep -B 16 Authentication | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" >> sorted_memcrashed.log

You can verify with this one liner.

cat sorted_memcrashed.log | while read a; do echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u $a 11211 ; done

CloudFlare is horrible for many reasons. It might make everything super easy. You get DDoS protection, seamless SSL integration, very simple DNS management, ability to hide your server’s IP. But with all of that convenience you lose control of your data and your sites are now open to MITM attacks by Big Brother. Data going through their servers is encrypted/decrypted on their servers, they retain the private key (unless you pay $5,000/mo for their enterprise plan).

Their snake-oil security

cloudflare_ssl

What worries me the most is that more and more sites across the web are starting to use CloudFlare especially with their free-tier SSL certificates. This creates a false sense of security as people think their information is encrypted and no one can read it, but in reality it’s going through CloudFlare’s network who is most likely working with 3 letter agencies directly or indirectly in their SIGINT programs to store exabytes of traffic data from sites that could contain valuable information to them.

As we’ve seen in the Snowden docs intelligence agencies horde zero day exploits and use them on their targets. I speculate that CloudFlare could be used to deliver those exploits en masse or to deliver them to a target who visits a site that uses CloudFlare. CloudFlare’s entire model could definitely make it easier for intelligence agencies to deliver their nasty exploits. The NSA has already broken into some of the biggest companies in the world, it would only make sense for them to have done this to CloudFlare as well.

Of course this is all speculation, but who are we kidding we haven’t even seen half of the Snowden docs. The NSA is capable of so much more than we’ve seen and I’ll tell you “told ya so” if my speculations become known facts. 🙂