Date: Wed, 7 Mar 2018 07:20:47 -0700 From: Kurt Seifried <kseifrie@...hat.com> To: Tomas Hoger <thoger@...hat.com> Cc: Kurt Seifried <kseifried@...hat.com>, oss-security@...ts.openwall.com Subject: Re: memcached UDP amplification attacks Actually the 50k was based on a private but trustworthy reporter (The 3 letter agency people), some people store very big things in memcached like cached web pages... > On Mar 7, 2018, at 3:09 AM, Tomas Hoger <thoger@...hat.com> wrote: > >> On Fri, 2 Mar 2018 21:42:30 -0700 Kurt Seifried wrote: >> >> I have assigned CVE-2018-1000115 to this issue: >> >> Memcached version 1.5.5 contains an Insufficient Control of Network >> Message Volume (Network Amplification, CWE-406) vulnerability in the >> UDP support of the memcached server that can result in denial of >> service via network flood (traffic amplification of 1:50,000 has been >> reported by reliable sources). This attack appear to be exploitable >> via network connectivity to port 11211 UDP. This vulnerability >> appears to have been fixed in 1.5.6 due to the disabling of the UDP >> protocol by default. > > Minor nitpick, the description mentions 1:50,000 ratio, apparently > based on the information in the following reference: > >> https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html > > where it's mentioned as: > > """ > Worse, memcached can have an amplification factor of over 50,000, > meaning a 203 byte request results in a 100 megabyte response. > """ > > However, 200 * 50k = 10m, not 100m. Wonder if I'm doing my math wrong. > > -- > Tomas Hoger / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ