[NLNOG] memcached UDP/11211 IOS XR ratelimit example

[Job Snijders]

Dear all,

As you've probably read by now, there we're facing a significant threat
in the shape of the memcached UDP protocol. The current best practise is
to apply rate-limits on all external facing ports and police UDP/11211
traffic down to something managable. This protects both your own
infrastructure and your customers.

Here are numerous pointers: http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/

I recommend adding memcached UDP/11211 to the same "exploitable ports"
list as NTP, CHARGEN and SSDP. Below is a configuration example for IOS
XR to rate-limit these amplification-sensitive UDP ports to 1% of of the
port's capacity.

    ipv4 access-list exploitable-ports
     permit udp any eq ntp any
     permit udp any eq 1900 any
     permit udp any eq 19 any
     permit udp any eq 11211 any
    !
    ipv6 access-list exploitable-ports-v6
     permit udp any eq ntp any
     permit udp any eq 1900 any
     permit udp any eq 19 any
     permit udp any eq 11211 any
    !
    class-map match-any exploitable-ports
     match access-group ipv4 exploitable-ports
     match access-group ipv6 exploitable-ports-v6
     end-class-map
    !
    policy-map ntt-external-in
     class exploitable-ports
      police rate percent 1
       conform-action transmit
       exceed-action drop
      !
      set precedence 0
      set mpls experimental topmost 0
     !
     class class-default
      set mpls experimental imposition 0
      set precedence 0
     !
     end-policy-map
    !
    interface Bundle-Ether19
     description Customer: the best customer
     service-policy input ntt-external-in
     ipv4 address xxx/x
     ipv6 address yyy/y
     ...
    !
    interface Bundle-Ether20
     service-policy input ntt-external-in
     ...
    ... etc ...

Please share your own examples too!

Kind regards,

Job