Testing on a recently-load VM of CentOS 7.3:
[root@localhost odd]# netstat -tan | grep 11211
[root@localhost odd]# netstat -uan | grep 11211
[root@localhost odd]# yum install memcached
[root@localhost odd]# systemctl start memcached.service
[root@localhost odd]# netstat -tan | grep 11211
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN
tcp6 0 0 :::11211 :::* LISTEN
[root@localhost odd]# netstat -uan | grep 11211
udp 0 0 0.0.0.0:11211 0.0.0.0:*
udp6 0 0 :::11211 :::*
Since CentOS is supposed to be a near bit-by-bit copy of Red Hat
Enterprise, this shows that when one loads memcached without modifying
the configuration, plus expose 11211/udp to the world, one is now part
of the problem.
It also suggests that other near-clones of RHEL may also exhibit the
problem.
So I pulled the memcached repository from GitHub, and looked through the
commits. NOTHING about updates to prevent DDoS.
So I started looking around for the config file in the maintainer GIT
project. Here is what I found:
# These defaults will be used by every memcached instance, unless overridden
# by values in /etc/sysconfig/memcached.<port>
USER="nobody"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""
# The PORT variable will only be used by memcached.service, not by
# memcached@xxxxx services, which will use the xxxxx
PORT="11211"
Here is what CentOS has:
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""
What's missing from both of these system configuration files?
OPTIONS="-U 0"
From the memcached man page:
-U <num>
Listen on UDP port <num>, the default is port 11211, 0 is off.
So this answers the question about how anyone loading memcached fresh
from a distribution can be a major player in the DDoS game.
Now, in a lame defense of Red Hat, when one turns on the firewalld
daemon, that daemon implements a mostly-closed access policy.
"memcached" is not listed in the named services. Furthermore, looking
at the output of 'iptables -vnL' I saw no way that a 11211/udp packet
would make its way through the firewall.
The policy of "defense in depth" would argue that setting the default to
disable 11211/udp is still the right thing(r) to do.