memcached amplification attack

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
reason2008
Posts: 23
Joined: Fri Sep 12, 2014 11:51 pm

memcached amplification attack

Post by reason2008 »

Is this anything we need to be concerned about? My server is behind a firewall and doesn't allow the port addressed in the article.

https://blog.cloudflare.com/memcrashed- ... ort-11211/
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: memcached amplification attack

Post by phoenix »

Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
reason2008
Posts: 23
Joined: Fri Sep 12, 2014 11:51 pm

Re: memcached amplification attack

Post by reason2008 »

Thank you very much!
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: memcached amplification attack

Post by phoenix »

reason2008 wrote:Thank you very much!
You're welcome. :)
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Chicken76
Posts: 26
Joined: Sat Sep 13, 2014 2:28 am

Re: memcached amplification attack

Post by Chicken76 »

This thread should be sticky-ed.
Having to beg the Internet provider late at night to restore the connection at my office for a few minutes so I can add a firewall rule is not fun.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: memcached amplification attack

Post by davidkillingsworth »

I have been affected by this. My ISP suspended my server because it was because it was generated a huge amount of outbound UDP traffic.

They would not unblock it for 24 hours. They finally explained what was going on and then unblocked it, only for it to get blocked again in under an hour.

They sent me this link: https://blogs.akamai.com/2018/02/memcac ... tacks.html

What's the best approach for mitigating this?

EDIT: I read the wiki article, which explains what to do. Will have to wait until the hosting company un-suspends the account to fix.
And agreed, this need to be stickied.
Chicken76
Posts: 26
Joined: Sat Sep 13, 2014 2:28 am

Re: memcached amplification attack

Post by Chicken76 »

Posting again because this needs emphasizing.

This is a serious denial-of-service attack! I managed to log in to the router of one of my affected networks but ssh was sooo laaaaaagy. The zimbra server alone (single server setup) was doing 500 Mbit UP!
I guess in a multi server zimbra environment you won't even be able to login to add the necessary firewall rules, unless you have a backup connection from a different provider.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: memcached amplification attack

Post by zimico »

I have some troubles with firewall (iptables) and when it's off, my server's eht0 send 5Gbps and generate 8TB traffic per hour. Now I apply configuration according to WIKI and it back to normal.
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: memcached amplification attack

Post by msquadrat »

I created a pull request to have the Zimbra memcached UDP port disabled in Zimbra. Anybody struggling with iptables might have a look at the changes to zmmemcachedctl and apply them manually:
https://github.com/Zimbra/zm-core-utils/pull/13/files

That said, having the TCP port open to the world isn't good as well since people can read the innards of your reverse proxy routing information and maybe other stuff as well. I don't think any sessions are actually stored in memcached but I might be wrong.
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: memcached amplification attack

Post by GlooM »

Hello!

Release 8.5.1.GA.3056.UBUNTU14.64 UBUNTU14_64 FOSS edition. (Single server installation)

For me this fix from article:

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

DONT WORK!!!

Iptables rules works fine!

After 8 hours after turning on the firewall - it drop 61 megabyte UDP traffic to this port!
Post Reply