subject:"\[Koha\] DDoS attack on memcached"

Re: [Koha] DDoS attack on memcached

2018-03-02 Thread Pablo Bianchi

After reading about Github DDoS incident
 I found out more
about on this Cloudflare post

where
states:
> echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u
127.0.0.1 11211
> If you see non-empty response (like the one above), your server is
vulnerable.

And it is, but testing from outside: nmap *TARGET* -p 11211 -sU -sS
--script memcached-info
in my case (a Koha fresh install with memcached) ports are closed/filtered,
seems secure because of the firewall and this line on default
/etc/memcached.conf

# Specify which IP address to listen on. The default is to listen on all IP
addresses
# This parameter is one of the only security measures that memcached has,
so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1

So nothing to worry about, right?

Regards,
Pablo
___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha

Re: [Koha] DDoS attack on memcached

2018-02-28 Thread Paul A


On 2018-02-28 01:47 PM, Chris Cormack wrote:

That will work, however unless you have configured your memcached server to 
listen on an external IP it will only be listening on localhost. It's worth 
checking both though.


and/or block at border -- there's an up-tick in attempts. In the last 
few minutes:


Feb 28 14:05:20 Wed Feb 28 14:05:11 2018 router2 System Log: Blocked 
incoming UDP packet from 185.94.111.1:52499 to 70.52.***.***:11211
Feb 28 14:07:06 Wed Feb 28 14:06:59 2018 router2 System Log: Blocked 
incoming UDP packet from 46.243.189.105:37750 to 70.52.***.***:11211


Best -- P.


Chris

On 1 March 2018 2:55:56 AM NZDT, Mark Alexander  wrote:

Apparently, a bug in memcached (which we use in Koha) causes it to be
used an intermediary in a DDoS attack:

https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/

I'm not an expert on this kind of thing by any means, but judging
from this:

  https://github.com/memcached/memcached/wiki/ReleaseNotes156

It seems that we can disable the attack by preventing memcached from
listening on a UDP port.  I was able to do this by adding the
following lines to /etc/memcached.conf:

  # Disable UDP
  -U 0

Then restarted memcached and apache2.

My questions for the experts: Is this the correct approach?  Is it even
necessary?
Is there more we should do?
___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha




___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha

Re: [Koha] DDoS attack on memcached

2018-02-28 Thread Chris Cormack

That will work, however unless you have configured your memcached server to 
listen on an external IP it will only be listening on localhost. It's worth 
checking both though.

Chris 

On 1 March 2018 2:55:56 AM NZDT, Mark Alexander  wrote:
>Apparently, a bug in memcached (which we use in Koha) causes it to be
>used an intermediary in a DDoS attack:
>
>https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/
>
>I'm not an expert on this kind of thing by any means, but judging
>from this:
>
>  https://github.com/memcached/memcached/wiki/ReleaseNotes156
>
>It seems that we can disable the attack by preventing memcached from
>listening on a UDP port.  I was able to do this by adding the
>following lines to /etc/memcached.conf:
>
>  # Disable UDP
>  -U 0
>
>Then restarted memcached and apache2.
>
>My questions for the experts: Is this the correct approach?  Is it even
>necessary?
>Is there more we should do?
>___
>Koha mailing list  http://koha-community.org
>Koha@lists.katipo.co.nz
>https://lists.katipo.co.nz/mailman/listinfo/koha

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha

[Koha] DDoS attack on memcached

2018-02-28 Thread Mark Alexander

Apparently, a bug in memcached (which we use in Koha) causes it to be
used an intermediary in a DDoS attack:

https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/

I'm not an expert on this kind of thing by any means, but judging
from this:

  https://github.com/memcached/memcached/wiki/ReleaseNotes156

It seems that we can disable the attack by preventing memcached from
listening on a UDP port.  I was able to do this by adding the
following lines to /etc/memcached.conf:

  # Disable UDP
  -U 0

Then restarted memcached and apache2.

My questions for the experts: Is this the correct approach?  Is it even 
necessary?
Is there more we should do?
___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha

Re: [Koha] DDoS attack on memcached

Re: [Koha] DDoS attack on memcached

Re: [Koha] DDoS attack on memcached

[Koha] DDoS attack on memcached

4 matches

Site Navigation

Mail list logo

Footer information