Zimbra Forums

Is this anything we need to be concerned about? My server is behind a firewall and doesn't allow the port addressed in the article.

https://blog.cloudflare.com/memcrashed- ... ort-11211/

Take a look at this wiki article: https://wiki.zimbra.com/index.php?title ... hed_Attack

Thank you very much!

reason2008 wrote:Thank you very much!

You're welcome.

This thread should be sticky-ed.
Having to beg the Internet provider late at night to restore the connection at my office for a few minutes so I can add a firewall rule is not fun.

I have been affected by this. My ISP suspended my server because it was because it was generated a huge amount of outbound UDP traffic.

They would not unblock it for 24 hours. They finally explained what was going on and then unblocked it, only for it to get blocked again in under an hour.

They sent me this link: https://blogs.akamai.com/2018/02/memcac ... tacks.html

What's the best approach for mitigating this?

EDIT: I read the wiki article, which explains what to do. Will have to wait until the hosting company un-suspends the account to fix.
And agreed, this need to be stickied.

Posting again because this needs emphasizing.

This is a serious denial-of-service attack! I managed to log in to the router of one of my affected networks but ssh was sooo laaaaaagy. The zimbra server alone (single server setup) was doing 500 Mbit UP!
I guess in a multi server zimbra environment you won't even be able to login to add the necessary firewall rules, unless you have a backup connection from a different provider.

I have some troubles with firewall (iptables) and when it's off, my server's eht0 send 5Gbps and generate 8TB traffic per hour. Now I apply configuration according to WIKI and it back to normal.

I created a pull request to have the Zimbra memcached UDP port disabled in Zimbra. Anybody struggling with iptables might have a look at the changes to zmmemcachedctl and apply them manually:
https://github.com/Zimbra/zm-core-utils/pull/13/files

That said, having the TCP port open to the world isn't good as well since people can read the innards of your reverse proxy routing information and maybe other stuff as well. I don't think any sessions are actually stored in memcached but I might be wrong.

Hello!

Release 8.5.1.GA.3056.UBUNTU14.64 UBUNTU14_64 FOSS edition. (Single server installation)

For me this fix from article:

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

DONT WORK!!!

Iptables rules works fine!

After 8 hours after turning on the firewall - it drop 61 megabyte UDP traffic to this port!