memcached amplification attack

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
davidkillingsworth
Advanced member
Advanced member
Posts: 156
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: Release 8.8.6.GA.1906.UBUNTU14.64

Re: memcached amplification attack

Postby davidkillingsworth » Mon Mar 05, 2018 8:00 am

GlooM wrote:Hello!

Release 8.5.1.GA.3056.UBUNTU14.64 UBUNTU14_64 FOSS edition. (Single server installation)

For me this fix from article:

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

DONT WORK!!!

Iptables rules works fine!

After 8 hours after turning on the firewall - it drop 61 megabyte UDP traffic to this port!


I had the same problem, and I noticed that there was a whitespace at the end of the first line. Not sure if that made a difference.

I also rebooted my sever fully, not just restarted memchaced and that did the trick.


GlooM
Advanced member
Advanced member
Posts: 66
Joined: Sat Sep 13, 2014 12:50 am

Re: memcached amplification attack

Postby GlooM » Mon Mar 05, 2018 8:12 am

davidkillingsworth wrote:
I also rebooted my sever fully, not just restarted memchaced and that did the trick.


I rebooted the server completely (Operation system reboot), not only zimbra memacached. Fix didnt work, only firewall.
davidkillingsworth
Advanced member
Advanced member
Posts: 156
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: Release 8.8.6.GA.1906.UBUNTU14.64

Re: memcached amplification attack

Postby davidkillingsworth » Mon Mar 05, 2018 8:34 am

GlooM wrote:
davidkillingsworth wrote:
I also rebooted my sever fully, not just restarted memchaced and that did the trick.


I rebooted the server completely (Operation system reboot), not only zimbra memacached. Fix didnt work, only firewall.


I had the issue "come back" too, but as mentioned, once my ISP unsuspended my server, I logged in and re-typed the two commands from the WIKI making sure not to have any whitespace at the end, then I restarted zimbra fully.

After that I did a test by telneting to ports 22, 587, and 11211 to make sure that the changes took place and I was able to telnet to 22 and 587, but 11211 was now blocked.
GlooM
Advanced member
Advanced member
Posts: 66
Joined: Sat Sep 13, 2014 12:50 am

Re: memcached amplification attack

Postby GlooM » Mon Mar 05, 2018 8:43 am

davidkillingsworth wrote:
I had the issue "come back" too, but as mentioned, once my ISP unsuspended my server, I logged in and re-typed the two commands from the WIKI making sure not to have any whitespace at the end, then I restarted zimbra fully.

After that I did a test by telneting to ports 22, 587, and 11211 to make sure that the changes took place and I was able to telnet to 22 and 587, but 11211 was now blocked.


Very interesting. But now I will not disable the firewall.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 16 guests