memcached is currently involved in some massive DDoS attacks, as its UDP protocol allows to be abused for amplification attacks. Background: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ The default configuration in Gentoo enables the UDP port. Upstream's version 1.5.6 changes the default to disable UDP, however in Gentoo this does not happen, as the init script will actively enable UDP by passing -U in the default setting. The init script should be changed in a way that UDP only gets enabled if a user actively wants it. (One may even argue that it's such a problematic protocol that it shouldn't be supported at all by the init script.)
(In reply to Hanno Boeck from comment #0) > The default configuration in Gentoo enables the UDP port. Only when no sockets are used. (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n55) We also warn when listening on 0.0.0.0 (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n28). I would suggest to set "LISTENON" to "127.0.0.1" per default and maybe uncomment "SOCKET" per default so that we ensure that no Gentoo system can be abused out of the box if the administrator forget to set up a firewall but no need to daemonize UDP usage in general.
Thomas, all your change proposals sound good, but I'd go one step further: Even if a user changes to not using sockets disable UDP by default. E.g. we could comment out UDPPORT by default in conf.d/memcached and only pass -U {UDPPORT} if it's set. From the upstream announcement it sounds to me the UDP-based memcached is basically considered a deprecated protocol that has little use today.
> E.g. we could comment out UDPPORT by default in conf.d/memcached and only > pass -U {UDPPORT} if it's set. ACK.
Please do this… I got bitten by it while switching a machine to systemd. LISTENON="127.0.0.1" was set in /etc/conf.d/memcached but most settings in that file are not honored by memcached's systemd unit.
Maintainer(s): Ping.
Ping