oss-sec mailing list archives

memcached UDP amplification attacks

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 2 Mar 2018 12:44:28 +0100

Hi,

In the past days there have been reports about some DDoS attacks
abusing the memcached UDP protocol:
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
https://www.wired.com/story/github-ddos-memcached/


The issue: memcached has an UDP protocol that allows getting a much
larger reply than the query sent, thus allowing amplification attacks
with forged sender IPs.


Upstream memcached reacted by disabling the UDP-based protocol by
default:
https://github.com/memcached/memcached/wiki/ReleaseNotes156
This is good, however one could argue that they should also default to
localhost only.


Most distros I checked right now default to enabling UDP, but
restricting connections to 127.0.0.1. While this is not directly
vulnerable it's only a minor change away from being so. The memcached
announcement sounds like the UDP protocol is rarely used and should be
considered deprecated and replaced by the TCP-based one.

I recommend all distributions consider changing their defaults to
disabling the UDP-based memcached protocol by default.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Current thread:

memcached UDP amplification attacks Hanno Böck (Mar 02)
- Re: memcached UDP amplification attacks Kurt Seifried (Mar 02)
  - Re: memcached UDP amplification attacks Kurt Seifried (Mar 02)
    - Re: memcached UDP amplification attacks Tomas Hoger (Mar 07)
    - Re: memcached UDP amplification attacks Kurt Seifried (Mar 07)
    - Re: memcached UDP amplification attacks Seaman, Chad (Mar 07)
    - Re: memcached UDP amplification attacks Patrick Forsberg (Mar 08)
    - Re: memcached UDP amplification attacks Seaman, Chad (Mar 08)