DDoS attack on memcached
Apparently, a bug in memcached (which we use in Koha) causes it to be used an intermediary in a DDoS attack: https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-us... I'm not an expert on this kind of thing by any means, but judging from this: https://github.com/memcached/memcached/wiki/ReleaseNotes156 It seems that we can disable the attack by preventing memcached from listening on a UDP port. I was able to do this by adding the following lines to /etc/memcached.conf: # Disable UDP -U 0 Then restarted memcached and apache2. My questions for the experts: Is this the correct approach? Is it even necessary? Is there more we should do?
That will work, however unless you have configured your memcached server to listen on an external IP it will only be listening on localhost. It's worth checking both though. Chris On 1 March 2018 2:55:56 AM NZDT, Mark Alexander <marka@pobox.com> wrote:
Apparently, a bug in memcached (which we use in Koha) causes it to be used an intermediary in a DDoS attack:
https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-us...
I'm not an expert on this kind of thing by any means, but judging from this:
https://github.com/memcached/memcached/wiki/ReleaseNotes156
It seems that we can disable the attack by preventing memcached from listening on a UDP port. I was able to do this by adding the following lines to /etc/memcached.conf:
# Disable UDP -U 0
Then restarted memcached and apache2.
My questions for the experts: Is this the correct approach? Is it even necessary? Is there more we should do? _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On 2018-02-28 01:47 PM, Chris Cormack wrote:
That will work, however unless you have configured your memcached server to listen on an external IP it will only be listening on localhost. It's worth checking both though.
and/or block at border -- there's an up-tick in attempts. In the last few minutes: Feb 28 14:05:20 Wed Feb 28 14:05:11 2018 router2 System Log: Blocked incoming UDP packet from 185.94.111.1:52499 to 70.52.***.***:11211 Feb 28 14:07:06 Wed Feb 28 14:06:59 2018 router2 System Log: Blocked incoming UDP packet from 46.243.189.105:37750 to 70.52.***.***:11211 Best -- P.
Chris
On 1 March 2018 2:55:56 AM NZDT, Mark Alexander <marka@pobox.com> wrote:
Apparently, a bug in memcached (which we use in Koha) causes it to be used an intermediary in a DDoS attack:
https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-us...
I'm not an expert on this kind of thing by any means, but judging from this:
https://github.com/memcached/memcached/wiki/ReleaseNotes156
It seems that we can disable the attack by preventing memcached from listening on a UDP port. I was able to do this by adding the following lines to /etc/memcached.conf:
# Disable UDP -U 0
Then restarted memcached and apache2.
My questions for the experts: Is this the correct approach? Is it even necessary? Is there more we should do? _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
After reading about Github DDoS incident <https://githubengineering.com/ddos-incident-report/> I found out more about on this Cloudflare post <https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/> where states:
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211 If you see non-empty response (like the one above), your server is vulnerable.
And it is, but testing from outside: nmap *TARGET* -p 11211 -sU -sS --script memcached-info in my case (a Koha fresh install with memcached) ports are closed/filtered, seems secure because of the firewall and this line on default /etc/memcached.conf # Specify which IP address to listen on. The default is to listen on all IP addresses # This parameter is one of the only security measures that memcached has, so make sure # it's listening on a firewalled interface. -l 127.0.0.1 So nothing to worry about, right? Regards, Pablo
participants (4)
-
Chris Cormack -
Mark Alexander -
Pablo Bianchi -
Paul A