[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Subject: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
From: list at satchell.net (Stephen Satchell)
Date: Fri, 2 Mar 2018 08:15:42 -0800
In-reply-to: <CA+E3k91hALYSFMQYK4mR9SwCT=0Wnt3sCJkT41+4u3CR10-u-Q@mail.gmail.com>
References: <[email protected]> <CAD6AjGQx__RNnWADF=TnaUBjN+fVpezQpM9qmFMF_G0KSj3LrQ@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <CAB69EHiesHKr=57HYgiupD1sdV=5HURuVeo4+CVKFhdg0ONriw@mail.gmail.com> <[email protected]> <CAL9jLaadL=D7C9S49eea1+gHDLY+NdpQy=2qDqfzVfrH36+-zg@mail.gmail.com> <[email protected]> <CA+E3k91hALYSFMQYK4mR9SwCT=0Wnt3sCJkT41+4u3CR10-u-Q@mail.gmail.com>

On 03/01/2018 02:55 PM, Royce Williams wrote:
> pstream, until two days ago, the default was to listen on all interfaces.
> 
> https://github.com/memcached/memcached/wiki/ReleaseNotes156
> 
> The package maintainers were (thankfully) injecting additional sanity.

Yes, they did, in commit dbb7a8af.  Here is the commit comment:

>     disable UDP port by default
>     
>     As reported, UDP amplification attacks have started to use insecure
>     internet-exposed memcached instances. UDP used to be a lot more popular as a
>     transport for memcached many years ago, but I'm not aware of many recent
>     users.
>     
>     Ten years ago, the TCP connection overhead from many clients was relatively
>     high (dozens or hundreds per client server), but these days many clients are
>     batched, or user fewer processes, or simply anre't worried about it.
>     
>     While changing the default to listen on localhost only would also help, the
>     true culprit is UDP. There are many more use cases for using memcached over
>     the network than there are for using the UDP protocol.
> 
> --------------------------------- memcached.c ---------------------------------
> index 88a5f2e..7178666 100644

But then you look at the changes in that commit:  what makes this a 
less-than-ideal change is that they didn't modify the default 
configuration file to include "-U 0".

By defaulting their settings.udpport to zero in the C code, they 
stop-punch the astonishment factor.  By not changing the distribution 
sysconfig file, though, they open a pitfall for those people who use 
UDP.  The problem?  They could have put a warning in the default file so 
that people who add OPTIONS="U 11211" would be told to firewall that UDP 
port from the public internet at large.

(Then there is the case of people deploying memcached in the cloud, 
which would incur additional difficulties.  But that's another argument...)

References:
- New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
  - From: eric.kuhnke at gmail.com (Eric Kuhnke)
- New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
  - From: owen at delong.com (Owen DeLong)
- New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
  - From: morrowc.lists at gmail.com (Christopher Morrow)
- New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
  - From: randy at psg.com (Randy Bush)
- New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
  - From: royce at techsolvency.com (Royce Williams)

Prev by Date: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
Next by Date: IPv6 Unique Local Addresses
Previous by thread: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
Next by thread: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
Index(es):
- Date
- Thread