memcached amplification attack

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
reason2008
Posts: 23
Joined: Fri Sep 12, 2014 11:51 pm

memcached amplification attack

Postby reason2008 » Thu Mar 01, 2018 12:06 am

Is this anything we need to be concerned about? My server is behind a firewall and doesn't allow the port addressed in the article.

https://blog.cloudflare.com/memcrashed- ... ort-11211/


phoenix
Ambassador
Ambassador
Posts: 25718
Joined: Fri Sep 12, 2014 9:56 pm

Re: memcached amplification attack

Postby phoenix » Thu Mar 01, 2018 9:59 am

Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
reason2008
Posts: 23
Joined: Fri Sep 12, 2014 11:51 pm

Re: memcached amplification attack

Postby reason2008 » Thu Mar 01, 2018 10:32 am

Thank you very much!
phoenix
Ambassador
Ambassador
Posts: 25718
Joined: Fri Sep 12, 2014 9:56 pm

Re: memcached amplification attack

Postby phoenix » Thu Mar 01, 2018 10:42 am

reason2008 wrote:Thank you very much!
You're welcome. :)
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
Chicken76
Posts: 21
Joined: Sat Sep 13, 2014 2:28 am

Re: memcached amplification attack

Postby Chicken76 » Thu Mar 01, 2018 11:08 am

This thread should be sticky-ed.
Having to beg the Internet provider late at night to restore the connection at my office for a few minutes so I can add a firewall rule is not fun.
davidkillingsworth
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: Release 8.8.6.GA.1906.UBUNTU14.64

Re: memcached amplification attack

Postby davidkillingsworth » Fri Mar 02, 2018 7:49 am

I have been affected by this. My ISP suspended my server because it was because it was generated a huge amount of outbound UDP traffic.

They would not unblock it for 24 hours. They finally explained what was going on and then unblocked it, only for it to get blocked again in under an hour.

They sent me this link: https://blogs.akamai.com/2018/02/memcac ... tacks.html

What's the best approach for mitigating this?

EDIT: I read the wiki article, which explains what to do. Will have to wait until the hosting company un-suspends the account to fix.
And agreed, this need to be stickied.
Chicken76
Posts: 21
Joined: Sat Sep 13, 2014 2:28 am

Re: memcached amplification attack

Postby Chicken76 » Fri Mar 02, 2018 9:42 am

Posting again because this needs emphasizing.

This is a serious denial-of-service attack! I managed to log in to the router of one of my affected networks but ssh was sooo laaaaaagy. The zimbra server alone (single server setup) was doing 500 Mbit UP!
I guess in a multi server zimbra environment you won't even be able to login to add the necessary firewall rules, unless you have a backup connection from a different provider.
User avatar
zimico
Advanced member
Advanced member
Posts: 80
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.7.5
Contact:

Re: memcached amplification attack

Postby zimico » Fri Mar 02, 2018 5:16 pm

I have some troubles with firewall (iptables) and when it's off, my server's eht0 send 5Gbps and generate 8TB traffic per hour. Now I apply configuration according to WIKI and it back to normal.
User avatar
msquadrat
Advanced member
Advanced member
Posts: 166
Joined: Mon Oct 14, 2013 10:09 am

Re: memcached amplification attack

Postby msquadrat » Fri Mar 02, 2018 8:24 pm

I created a pull request to have the Zimbra memcached UDP port disabled in Zimbra. Anybody struggling with iptables might have a look at the changes to zmmemcachedctl and apply them manually:
https://github.com/Zimbra/zm-core-utils/pull/13/files

That said, having the TCP port open to the world isn't good as well since people can read the innards of your reverse proxy routing information and maybe other stuff as well. I don't think any sessions are actually stored in memcached but I might be wrong.
GlooM
Advanced member
Advanced member
Posts: 69
Joined: Sat Sep 13, 2014 12:50 am

Re: memcached amplification attack

Postby GlooM » Mon Mar 05, 2018 7:45 am

Hello!

Release 8.5.1.GA.3056.UBUNTU14.64 UBUNTU14_64 FOSS edition. (Single server installation)

For me this fix from article:

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

DONT WORK!!!

Iptables rules works fine!

After 8 hours after turning on the firewall - it drop 61 megabyte UDP traffic to this port!

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 22 guests