Date: Fri, 2 Mar 2018 12:44:28 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: memcached UDP amplification attacks Hi, In the past days there have been reports about some DDoS attacks abusing the memcached UDP protocol: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ https://www.wired.com/story/github-ddos-memcached/ The issue: memcached has an UDP protocol that allows getting a much larger reply than the query sent, thus allowing amplification attacks with forged sender IPs. Upstream memcached reacted by disabling the UDP-based protocol by default: https://github.com/memcached/memcached/wiki/ReleaseNotes156 This is good, however one could argue that they should also default to localhost only. Most distros I checked right now default to enabling UDP, but restricting connections to 127.0.0.1. While this is not directly vulnerable it's only a minor change away from being so. The memcached announcement sounds like the UDP protocol is rarely used and should be considered deprecated and replaced by the TCP-based one. I recommend all distributions consider changing their defaults to disabling the UDP-based memcached protocol by default. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ