New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UDP Amplification Attacks, result of Memcached UDP port 11211 #348
Comments
|
https://github.com/memcached/memcached/wiki/ReleaseNotes156 leaving this open, so other users can see more easily for now. |
|
For those interested, the commit to disable UDP by default was dbb7a8a. |
the comment of HELP is still not fixed in memcached.c , the latest version 1.5.6 of memcached |
|
@XuYuanzhen Thanks! Fixed in the 'next' tree for the next release. |
|
This is CVE-2018-1000115 which should be in the CVE database hopefully by Monday. |
|
@XuYuanzhen sorry if i understood wrongly, but by disabling the UDP on the victims webserver, will not be vulnerable to the attacks??? |
|
@XuYuanzhen Disabling UDP for memcache (or firewalling the port 11211) will mean that your server is not used as a "zombie" in an attack. This is a reflection attack, see the diagram I posted in the thread opener. If you're being attacked by a bunch of public memcache servers, the only solution you have is getting your provider to mitigate the attack. |
|
@swiftnode-linden, tanks for clarifying it. I might be attacked, I have close relationship with my isp, any advice for me to tell him? |
|
@santiandres33 If the attacks you're receiving are small (eg. <10Gbps), mitigating the attack may be possible by your ISP if they have a way to drop all traffic originating from udp source port 11211 prior to it reaching your servers/computer. But If we're talking about a residential ISP, your chances of mitigating an attack like this are pretty slim. Their best bet is likely just to nullroute your IP and move on. The attacks we saw were over 200Gbps, we had to leverage an upstream provider to help mitigate. Even most large providers can't deal with an attack of this size. And the ones that do have the capacity generally aren't going to just eat a large attack unless you have some serious cash. You have a few "external" options, you can pipe in mitigation from a provider like Voxility or Prolexic, both definitely have the capacity and the ability to filter attacks of that size. (Think GRE/IPIP Tunnels) |
|
@santiandres33 Because the DDoS Reflection Amplification Attack used by UDP protocol. The UDP is unreliable ,consequently the attacker can spoof the source IP. And the old versions of memcached open UDP 11211 by default,memcached could increase the received UDP packets almost twenty to fifty thousand times. You can disable the UDP 11211 by -U 0 , even |
|
closing this out. I think it's been talked about widely enough. |
2439472
The above commit has resulted in the ability to spoof a victim address to public memcache servers around the world, resulting in a massive amount of data returned from the memcache service. (to the victim)
Simple example:
https://blog.cloudflare.com/content/images/2018/02/spoofing.png
These attacks appear to be ranging anywhere from 25Gbps to over 250Gbps.
This has been confirmed on the backlines by many providers, as well as publicly by Cloudflare, and Rapid7.
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211
https://blog.rapid7.com/2018/02/27/the-flip-side-of-memcrashed/
The text was updated successfully, but these errors were encountered: