[Koha] DDoS attack on memcached
Paul A
paul.a at navalmarinearchive.com
Thu Mar 1 08:32:00 NZDT 2018
On 2018-02-28 01:47 PM, Chris Cormack wrote:
> That will work, however unless you have configured your memcached server to listen on an external IP it will only be listening on localhost. It's worth checking both though.
and/or block at border -- there's an up-tick in attempts. In the last
few minutes:
Feb 28 14:05:20 Wed Feb 28 14:05:11 2018 router2 System Log: Blocked
incoming UDP packet from 185.94.111.1:52499 to 70.52.***.***:11211
Feb 28 14:07:06 Wed Feb 28 14:06:59 2018 router2 System Log: Blocked
incoming UDP packet from 46.243.189.105:37750 to 70.52.***.***:11211
Best -- P.
>
> Chris
>
> On 1 March 2018 2:55:56 AM NZDT, Mark Alexander <marka at pobox.com> wrote:
>> Apparently, a bug in memcached (which we use in Koha) causes it to be
>> used an intermediary in a DDoS attack:
>>
>> https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/
>>
>> I'm not an expert on this kind of thing by any means, but judging
>>from this:
>>
>> https://github.com/memcached/memcached/wiki/ReleaseNotes156
>>
>> It seems that we can disable the attack by preventing memcached from
>> listening on a UDP port. I was able to do this by adding the
>> following lines to /etc/memcached.conf:
>>
>> # Disable UDP
>> -U 0
>>
>> Then restarted memcached and apache2.
>>
>> My questions for the experts: Is this the correct approach? Is it even
>> necessary?
>> Is there more we should do?
>> _______________________________________________
>> Koha mailing list http://koha-community.org
>> Koha at lists.katipo.co.nz
>> https://lists.katipo.co.nz/mailman/listinfo/koha
>
More information about the Koha
mailing list