oss-sec mailing list archives
memcached UDP amplification attacks
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 2 Mar 2018 12:44:28 +0100
Hi, In the past days there have been reports about some DDoS attacks abusing the memcached UDP protocol: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ https://www.wired.com/story/github-ddos-memcached/ The issue: memcached has an UDP protocol that allows getting a much larger reply than the query sent, thus allowing amplification attacks with forged sender IPs. Upstream memcached reacted by disabling the UDP-based protocol by default: https://github.com/memcached/memcached/wiki/ReleaseNotes156 This is good, however one could argue that they should also default to localhost only. Most distros I checked right now default to enabling UDP, but restricting connections to 127.0.0.1. While this is not directly vulnerable it's only a minor change away from being so. The memcached announcement sounds like the UDP protocol is rarely used and should be considered deprecated and replaced by the TCP-based one. I recommend all distributions consider changing their defaults to disabling the UDP-based memcached protocol by default. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- memcached UDP amplification attacks Hanno Böck (Mar 02)
- Re: memcached UDP amplification attacks Kurt Seifried (Mar 02)
- Re: memcached UDP amplification attacks Kurt Seifried (Mar 02)
- Re: memcached UDP amplification attacks Tomas Hoger (Mar 07)
- Re: memcached UDP amplification attacks Kurt Seifried (Mar 07)
- Re: memcached UDP amplification attacks Seaman, Chad (Mar 07)
- Re: memcached UDP amplification attacks Patrick Forsberg (Mar 08)
- Re: memcached UDP amplification attacks Seaman, Chad (Mar 08)
- Re: memcached UDP amplification attacks Kurt Seifried (Mar 02)
- Re: memcached UDP amplification attacks Kurt Seifried (Mar 02)