Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP payload for memcached (11211/udp)

From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 2 Mar 2018 21:22:52 -0600
David,

I actually added one earlier today, but using the 'version' payload instead
of the 'stats' one. Everyone is using 'stats' for testing the DDoS
amplification issue, so it's likely to be flagged by IDS signatures. We use
'stats' for version detection because it has overlap (on TCP) with
Zookeeper (and because it was already suggested by someone once.)

Dan

On Fri, Mar 2, 2018 at 7:49 PM, David Fifield <david () bamsoftware com> wrote:


Marek suggests a payload for detecting memcached on UDP:
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-
port-11211/#memcachedusers

(untested by me)

udp 11211 "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: