Nmap Development mailing list archives
Re: UDP payload for memcached (11211/udp)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 2 Mar 2018 21:22:52 -0600
David, I actually added one earlier today, but using the 'version' payload instead of the 'stats' one. Everyone is using 'stats' for testing the DDoS amplification issue, so it's likely to be flagged by IDS signatures. We use 'stats' for version detection because it has overlap (on TCP) with Zookeeper (and because it was already suggested by someone once.) Dan On Fri, Mar 2, 2018 at 7:49 PM, David Fifield <david () bamsoftware com> wrote:
Marek suggests a payload for detecting memcached on UDP: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from- port-11211/#memcachedusers (untested by me) udp 11211 "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- UDP payload for memcached (11211/udp) David Fifield (Mar 02)
- Re: UDP payload for memcached (11211/udp) Daniel Miller (Mar 02)