DDoS attack on memcached

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

DDoS attack on memcached

Mark Alexander
Apparently, a bug in memcached (which we use in Koha) causes it to be
used an intermediary in a DDoS attack:

https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/

I'm not an expert on this kind of thing by any means, but judging
from this:

  https://github.com/memcached/memcached/wiki/ReleaseNotes156

It seems that we can disable the attack by preventing memcached from
listening on a UDP port.  I was able to do this by adding the
following lines to /etc/memcached.conf:

  # Disable UDP
  -U 0

Then restarted memcached and apache2.

My questions for the experts: Is this the correct approach?  Is it even necessary?
Is there more we should do?
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: DDoS attack on memcached

Chris Cormack-7
That will work, however unless you have configured your memcached server to listen on an external IP it will only be listening on localhost. It's worth checking both though.

Chris

On 1 March 2018 2:55:56 AM NZDT, Mark Alexander <[hidden email]> wrote:

>Apparently, a bug in memcached (which we use in Koha) causes it to be
>used an intermediary in a DDoS attack:
>
>https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/
>
>I'm not an expert on this kind of thing by any means, but judging
>from this:
>
>  https://github.com/memcached/memcached/wiki/ReleaseNotes156
>
>It seems that we can disable the attack by preventing memcached from
>listening on a UDP port.  I was able to do this by adding the
>following lines to /etc/memcached.conf:
>
>  # Disable UDP
>  -U 0
>
>Then restarted memcached and apache2.
>
>My questions for the experts: Is this the correct approach?  Is it even
>necessary?
>Is there more we should do?
>_______________________________________________
>Koha mailing list  http://koha-community.org
>[hidden email]
>https://lists.katipo.co.nz/mailman/listinfo/koha

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: DDoS attack on memcached

Paul A-2
On 2018-02-28 01:47 PM, Chris Cormack wrote:
> That will work, however unless you have configured your memcached server to listen on an external IP it will only be listening on localhost. It's worth checking both though.

and/or block at border -- there's an up-tick in attempts. In the last
few minutes:

Feb 28 14:05:20 Wed Feb 28 14:05:11 2018 router2 System Log: Blocked
incoming UDP packet from 185.94.111.1:52499 to 70.52.***.***:11211
Feb 28 14:07:06 Wed Feb 28 14:06:59 2018 router2 System Log: Blocked
incoming UDP packet from 46.243.189.105:37750 to 70.52.***.***:11211

Best -- P.

>
> Chris
>
> On 1 March 2018 2:55:56 AM NZDT, Mark Alexander <[hidden email]> wrote:
>> Apparently, a bug in memcached (which we use in Koha) causes it to be
>> used an intermediary in a DDoS attack:
>>
>> https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/
>>
>> I'm not an expert on this kind of thing by any means, but judging
>>from this:
>>
>>   https://github.com/memcached/memcached/wiki/ReleaseNotes156
>>
>> It seems that we can disable the attack by preventing memcached from
>> listening on a UDP port.  I was able to do this by adding the
>> following lines to /etc/memcached.conf:
>>
>>   # Disable UDP
>>   -U 0
>>
>> Then restarted memcached and apache2.
>>
>> My questions for the experts: Is this the correct approach?  Is it even
>> necessary?
>> Is there more we should do?
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> [hidden email]
>> https://lists.katipo.co.nz/mailman/listinfo/koha
>

_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: DDoS attack on memcached

PabloAB
After reading about Github DDoS incident
<https://githubengineering.com/ddos-incident-report/> I found out more
about on this Cloudflare post
<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>
where
states:
> echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u
127.0.0.1 11211
> If you see non-empty response (like the one above), your server is
vulnerable.

And it is, but testing from outside: nmap *TARGET* -p 11211 -sU -sS
--script memcached-info
in my case (a Koha fresh install with memcached) ports are closed/filtered,
seems secure because of the firewall and this line on default
/etc/memcached.conf

# Specify which IP address to listen on. The default is to listen on all IP
addresses
# This parameter is one of the only security measures that memcached has,
so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1

So nothing to worry about, right?

Regards,
Pablo
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha