[Koha] DDoS attack on memcached

Paul A paul.a at navalmarinearchive.com
Thu Mar 1 08:32:00 NZDT 2018


On 2018-02-28 01:47 PM, Chris Cormack wrote:
> That will work, however unless you have configured your memcached server to listen on an external IP it will only be listening on localhost. It's worth checking both though.

and/or block at border -- there's an up-tick in attempts. In the last 
few minutes:

Feb 28 14:05:20 Wed Feb 28 14:05:11 2018 router2 System Log: Blocked 
incoming UDP packet from 185.94.111.1:52499 to 70.52.***.***:11211
Feb 28 14:07:06 Wed Feb 28 14:06:59 2018 router2 System Log: Blocked 
incoming UDP packet from 46.243.189.105:37750 to 70.52.***.***:11211

Best -- P.
> 
> Chris
> 
> On 1 March 2018 2:55:56 AM NZDT, Mark Alexander <marka at pobox.com> wrote:
>> Apparently, a bug in memcached (which we use in Koha) causes it to be
>> used an intermediary in a DDoS attack:
>>
>> https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/
>>
>> I'm not an expert on this kind of thing by any means, but judging
>>from this:
>>
>>   https://github.com/memcached/memcached/wiki/ReleaseNotes156
>>
>> It seems that we can disable the attack by preventing memcached from
>> listening on a UDP port.  I was able to do this by adding the
>> following lines to /etc/memcached.conf:
>>
>>   # Disable UDP
>>   -U 0
>>
>> Then restarted memcached and apache2.
>>
>> My questions for the experts: Is this the correct approach?  Is it even
>> necessary?
>> Is there more we should do?
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> Koha at lists.katipo.co.nz
>> https://lists.katipo.co.nz/mailman/listinfo/koha
> 



More information about the Koha mailing list