Subject: perfSONAR Announcements
[perfsonar-announce] memcached exploits and your perfSONAR boxes
- From: Andrew Lake <>
- To: , "" <>
- Subject: [perfsonar-announce] memcached exploits and your perfSONAR boxes
- Date: Thu, 1 Mar 2018 10:12:57 -0800
You have likely seen recent news about the UDP amplification attacks using memcached making the rounds the past couple days. perfSONAR does run memcached, but if you are running the firewall rules that ship with the perfSONAR toolkit or have separately installed the perfsonar-toolkit-security package you should be protected as the ports in question are blocked. This is hopefully most of you since these rules are installed by default with the toolkit.
If you are NOT running our firewall rules you should verify UDP port 11211 is blocked on your system. You may also manually patch memcached to only listen on localhost by downloading a script put together by the perfSONAR project to update the config and restart memcached:
sudo bash configure_memcached_security
This script will be included in our next bugfix release in the perfsonar-toolkit-security package and run automatically on install/update. This is ultimately the best solution since it is not reliant solely on the firewall. We were already planning to release this as the fact that memcached was listening on all ports was brought to our attention a couple weeks ago on this user list. It should also be noted Debian/Ubuntu hosts are not affected as the memcached package correctly listens on localhost by default.
Please let us know if you have any questions.
The perfSONAR Development Team
- [perfsonar-announce] memcached exploits and your perfSONAR boxes, Andrew Lake, 03/01/2018
Archive powered by MHonArc 2.6.19.