nanog mailing list archives
Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
From: Stephen Satchell <list () satchell net>
Date: Fri, 2 Mar 2018 08:15:42 -0800
On 03/01/2018 02:55 PM, Royce Williams wrote:
pstream, until two days ago, the default was to listen on all interfaces. https://github.com/memcached/memcached/wiki/ReleaseNotes156 The package maintainers were (thankfully) injecting additional sanity.
Yes, they did, in commit dbb7a8af. Here is the commit comment:
disable UDP port by defaultAs reported, UDP amplification attacks have started to use insecureinternet-exposed memcached instances. UDP used to be a lot more popular as a transport for memcached many years ago, but I'm not aware of many recent users.Ten years ago, the TCP connection overhead from many clients was relativelyhigh (dozens or hundreds per client server), but these days many clients are batched, or user fewer processes, or simply anre't worried about it.While changing the default to listen on localhost only would also help, thetrue culprit is UDP. There are many more use cases for using memcached over the network than there are for using the UDP protocol. --------------------------------- memcached.c --------------------------------- index 88a5f2e..7178666 100644
But then you look at the changes in that commit: what makes this a less-than-ideal change is that they didn't modify the default configuration file to include "-U 0".
By defaulting their settings.udpport to zero in the C code, they stop-punch the astonishment factor. By not changing the distribution sysconfig file, though, they open a pitfall for those people who use UDP. The problem? They could have put a warning in the default file so that people who add OPTIONS="U 11211" would be told to firewall that UDP port from the public internet at large.
(Then there is the case of people deploying memcached in the cloud, which would incur additional difficulties. But that's another argument...)
Current thread:
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks, (continued)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Owen DeLong (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mike Hammett (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Jippen (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Owen DeLong (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Royce Williams (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Stephen Satchell (Mar 02)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mark Andrews (Mar 02)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks K. Scott Helms (Mar 02)
- Message not available
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks K. Scott Helms (Mar 02)