Memcached causing DDoS attack

Socs28 · April 2, 2021, 6:54pm

First time I’m doing this, so hopefully this is what I should be doing…

I have been using Nethserver for sometime and have had SOGo installed on a few installations. Periodically I would get a definite DDoS attach on memcached on these servers. I have used intrusion prevention and firewalling to mitigate these as best as possible, but they have continued. Today I found documentation of restricting memcached to local requests only, which I believe is all SOGo needs by editing /etc/sysconfig/memcached and adding -l 127.0.0.1 to the options. As far as I know SOGo is the only service that needs memcached and it only needs it locally, so I think this should be added to the configuration when it is installed to avoid theses DDoS attacks out of the box.

pike · April 2, 2021, 7:25pm

AFAIK SOGo is not anymore part of NethServer (as standard package, is part of nethforge, if I am not wrong) therefore the footprint is currently… smaller.
Anyway, let’s summon the wizard of SOGo, @stephdl who’s currently babysitting the package.

stephdl · April 3, 2021, 6:53am

blind shot and I have slept bad, but we have no TCP port opened for that service

[root@prometheus ~]# config show memcached 
memcached=service
    status=enabled

ofcourse we can read we use the TCP port 11211

[root@prometheus ~]# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""

and we have nothing opened in the FW

[root@prometheus ~]# iptables -L | grep memcached
[root@prometheus ~]# iptables -L | grep 11211

for me memcached cannot communicate outside of the Server

do I am wrong ?

filippo_carletti · April 3, 2021, 1:39pm

You’re not wrong, probably. But if @Socs28 has opened a range of ports containing port 11211 (let’s say 10000-20000) he may be vulnerable.
To be on the safe side, we could add OPTIONS="-l 127.0.0.1" to /etc/sysconfig/memcached.

stephdl · April 3, 2021, 5:45pm

will do it ASAP

stephdl · April 6, 2021, 7:38am

giacomo · April 6, 2021, 3:50pm

@Socs28 would you like to test the fix?

Just execute:

yum --enablerepo=nethserver-testing update nethserver-memcached

Then verify that memcached is listening only on 127.0.0.1 using netstat.

Socs28 · April 6, 2021, 4:31pm

It adds the line to the config file correctly. This is what netstat shows:

udp 0 0 localhost:memcache 0.0.0.0:*

stephdl · April 7, 2021, 1:38pm

Please could you attach some formal testing to https://github.com/NethServer/dev/issues/6473

Socs28 · April 7, 2021, 4:36pm

Yes, thought I’ve never done that before. What kind of testing do you want to see? I don’t know how to simulate the attacks I was getting. I can show that the patch properly puts the line in the config file and show the netstat results.

stephdl · April 7, 2021, 4:52pm

When we push a patch with a pull request, we create a github bug to track the tests. We have to attach to the github issue some tests that the développer has requested in the QA.

This has been done by @federico.ballarini

https://github.com/NethServer/dev/issues/6473