Memcached causing DDoS attack

First time I’m doing this, so hopefully this is what I should be doing… :slight_smile:

I have been using Nethserver for sometime and have had SOGo installed on a few installations. Periodically I would get a definite DDoS attach on memcached on these servers. I have used intrusion prevention and firewalling to mitigate these as best as possible, but they have continued. Today I found documentation of restricting memcached to local requests only, which I believe is all SOGo needs by editing /etc/sysconfig/memcached and adding -l to the options. As far as I know SOGo is the only service that needs memcached and it only needs it locally, so I think this should be added to the configuration when it is installed to avoid theses DDoS attacks out of the box.

1 Like

AFAIK SOGo is not anymore part of NethServer (as standard package, is part of nethforge, if I am not wrong) therefore the footprint is currently… smaller.
Anyway, let’s summon the wizard of SOGo, @stephdl who’s currently babysitting the package.

1 Like

blind shot and I have slept bad, but we have no TCP port opened for that service

[root@prometheus ~]# config show memcached 

ofcourse we can read we use the TCP port 11211

[root@prometheus ~]# cat /etc/sysconfig/memcached

and we have nothing opened in the FW

[root@prometheus ~]# iptables -L | grep memcached
[root@prometheus ~]# iptables -L | grep 11211

for me memcached cannot communicate outside of the Server

do I am wrong ?

You’re not wrong, probably. But if @Socs28 has opened a range of ports containing port 11211 (let’s say 10000-20000) he may be vulnerable.
To be on the safe side, we could add OPTIONS="-l" to /etc/sysconfig/memcached.


will do it ASAP

1 Like
1 Like

@Socs28 would you like to test the fix?

Just execute:

yum --enablerepo=nethserver-testing update nethserver-memcached

Then verify that memcached is listening only on using netstat.


It adds the line to the config file correctly. This is what netstat shows:

udp 0 0 localhost:memcache*


Please could you attach some formal testing to

Yes, thought I’ve never done that before. What kind of testing do you want to see? I don’t know how to simulate the attacks I was getting. I can show that the patch properly puts the line in the config file and show the netstat results.

When we push a patch with a pull request, we create a github bug to track the tests. We have to attach to the github issue some tests that the développer has requested in the QA.

This has been done by @federico.ballarini

1 Like