Skip to content

Commit dbb7a8a

Browse files
committed
disable UDP port by default
As reported, UDP amplification attacks have started to use insecure internet-exposed memcached instances. UDP used to be a lot more popular as a transport for memcached many years ago, but I'm not aware of many recent users. Ten years ago, the TCP connection overhead from many clients was relatively high (dozens or hundreds per client server), but these days many clients are batched, or user fewer processes, or simply anre't worried about it. While changing the default to listen on localhost only would also help, the true culprit is UDP. There are many more use cases for using memcached over the network than there are for using the UDP protocol.
1 parent 1276ad2 commit dbb7a8a

File tree

2 files changed

+4
-6
lines changed

2 files changed

+4
-6
lines changed

Diff for: memcached.c

+2-4
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,7 @@ static void settings_init(void) {
222222
settings.use_cas = true;
223223
settings.access = 0700;
224224
settings.port = 11211;
225-
settings.udpport = 11211;
225+
settings.udpport = 0;
226226
/* By default this string should be NULL for getaddrinfo() */
227227
settings.inter = NULL;
228228
settings.maxbytes = 64 * 1024 * 1024; /* default is 64MB */
@@ -7479,9 +7479,7 @@ int main (int argc, char **argv) {
74797479
}
74807480
}
74817481

7482-
if (tcp_specified && settings.port != 0 && !udp_specified) {
7483-
settings.udpport = settings.port;
7484-
} else if (udp_specified && settings.udpport != 0 && !tcp_specified) {
7482+
if (udp_specified && settings.udpport != 0 && !tcp_specified) {
74857483
settings.port = settings.udpport;
74867484
}
74877485

Diff for: t/issue_67.t

+2-2
Original file line numberDiff line numberDiff line change
@@ -77,11 +77,11 @@ sub when {
7777

7878
# Disabling the defaults since it conflicts with a running instance.
7979
# when('no arguments', '', 11211, 11211);
80-
when('specifying tcp port', '-p 11212', 11212, 11212);
80+
when('specifying tcp port', '-p 11212', 11212, -1);
8181
when('specifying udp port', '-U 11222', 11222, 11222);
8282
when('specifying tcp ephemeral port', '-p -1', 0, 0);
8383
when('specifying udp ephemeral port', '-U -1', 0, 0);
84-
when('tcp port disabled', '-p 0', -1, 11211);
84+
when('tcp port disabled', '-p 0', -1, -1);
8585
when('udp port disabled', '-U 0', 11211, -1);
8686
when('specifying tcp and udp ports', '-p 11232 -U 11233', 11232, 11233);
8787
when('specifying tcp and disabling udp', '-p 11242 -U 0', 11242, -1);

0 commit comments

Comments
 (0)