[Koha] DDoS attack on memcached

Pablo Bianchi pablo.bianchi at gmail.com
Sat Mar 3 18:46:46 NZDT 2018


After reading about Github DDoS incident
<https://githubengineering.com/ddos-incident-report/> I found out more
about on this Cloudflare post
<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>
where
states:
> echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u
127.0.0.1 11211
> If you see non-empty response (like the one above), your server is
vulnerable.

And it is, but testing from outside: nmap *TARGET* -p 11211 -sU -sS
--script memcached-info
in my case (a Koha fresh install with memcached) ports are closed/filtered,
seems secure because of the firewall and this line on default
/etc/memcached.conf

# Specify which IP address to listen on. The default is to listen on all IP
addresses
# This parameter is one of the only security measures that memcached has,
so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1

So nothing to worry about, right?

Regards,
Pablo


More information about the Koha mailing list