Re: memcached UDP amplification attacks

["Seaman, Chad" <cseaman () akamai com>]

Tomas,

You’re not wrong, that was a typo in the blog.

Regards,
Chad

On 3/7/18, 5:10 AM, "Tomas Hoger" <thoger () redhat com> wrote:

    On Fri, 2 Mar 2018 21:42:30 -0700 Kurt Seifried wrote:
    
    > I have assigned CVE-2018-1000115 to this issue:
    > 
    > Memcached version 1.5.5 contains an Insufficient Control of Network
    > Message Volume (Network Amplification, CWE-406) vulnerability in the
    > UDP support of the memcached server that can result in denial of
    > service via network flood (traffic amplification of 1:50,000 has been
    > reported by reliable sources). This attack appear to be exploitable
    > via network connectivity to port 11211 UDP. This vulnerability
    > appears to have been fixed in 1.5.6 due to the disabling of the UDP
    > protocol by default.
    
    Minor nitpick, the description mentions 1:50,000 ratio, apparently
    based on the information in the following reference:
    
    > https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html
    
    where it's mentioned as:
    
    """
    Worse, memcached can have an amplification factor of over 50,000,
    meaning a 203 byte request results in a 100 megabyte response.
    """
    
    However, 200 * 50k = 10m, not 100m.  Wonder if I'm doing my math wrong.
    
    -- 
    Tomas Hoger / Red Hat Product Security