Memcached Vulnerability

Status
Not open for further replies.

SlimJim

New Member
Feb 6, 2018
11
1
3
33
Northern Indiana
This week one of our development servers was part of a DDOS attack. It caught me off guard as we just installed it on a VPS the day before. Our traffic graphs showed us our VPS was sending out ~ 300MB/s according to Proxmox. Of course, we rate limited the port and did some digging. Came to find out that it was our memcached server was part of an amplification attack, that was causing the problem. We had disabled the firewall since this server was not connected to any trunks and was just for us to test a webpage we built, so no harm to us. (Sorry to whoever we were DDOSING, but lesson learned.)

Here is a link to more information.
https://www.techrepublic.com/articl...s-to-overload-networks-with-260-gbps-traffic/

and a simple google search brings up a lot more HERE.



So how can you fix it? Simple, block UDP port 11211 from external sources and don't leave servers running with their firewalls off :)
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
Well, if you are using the recommended Debian install memcache only listens on 127.0.0.1 anyway.
 

SlimJim

New Member
Feb 6, 2018
11
1
3
33
Northern Indiana
That is true, yes. Not all of us are using Debian. The default install on Centos 7, it did not.

You can correct this by editing the "/etc/sysconfig/memcached" file and add
Code:
OPTIONS="-l 127.0.0.1"

to the bottom of the file. Restart Memcached and it is fixed.
 
Status
Not open for further replies.