disable UDP port by default · memcached/memcached@dbb7a8a · GitHub
Skip to content

Commit

Permalink
disable UDP port by default
Browse files Browse the repository at this point in the history 
As reported, UDP amplification attacks have started to use insecure
internet-exposed memcached instances. UDP used to be a lot more popular as a
transport for memcached many years ago, but I'm not aware of many recent
users.

Ten years ago, the TCP connection overhead from many clients was relatively
high (dozens or hundreds per client server), but these days many clients are
batched, or user fewer processes, or simply anre't worried about it.

While changing the default to listen on localhost only would also help, the
true culprit is UDP. There are many more use cases for using memcached over
the network than there are for using the UDP protocol.
  • Loading branch information
@dormando
dormando committed Feb 27, 2018
1 parent 1276ad2 commit dbb7a8a
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 6 deletions.
6 changes: 2 additions & 4 deletions memcached.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ static void settings_init(void) {
settings.use_cas = true;
settings.access = 0700;
settings.port = 11211;
settings.udpport = 11211;
settings.udpport = 0;
/* By default this string should be NULL for getaddrinfo() */
settings.inter = NULL;
settings.maxbytes = 64 * 1024 * 1024; /* default is 64MB */
Expand Down Expand Up @@ -7479,9 +7479,7 @@ int main (int argc, char **argv) {
}
}

if (tcp_specified && settings.port != 0 && !udp_specified) {
settings.udpport = settings.port;
} else if (udp_specified && settings.udpport != 0 && !tcp_specified) {
if (udp_specified && settings.udpport != 0 && !tcp_specified) {
settings.port = settings.udpport;
}

Expand Down
4 changes: 2 additions & 2 deletions t/issue_67.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,11 @@ sub when {

# Disabling the defaults since it conflicts with a running instance.
# when('no arguments', '', 11211, 11211);
when('specifying tcp port', '-p 11212', 11212, 11212);
when('specifying tcp port', '-p 11212', 11212, -1);
when('specifying udp port', '-U 11222', 11222, 11222);
when('specifying tcp ephemeral port', '-p -1', 0, 0);
when('specifying udp ephemeral port', '-U -1', 0, 0);
when('tcp port disabled', '-p 0', -1, 11211);
when('tcp port disabled', '-p 0', -1, -1);
when('udp port disabled', '-U 0', 11211, -1);
when('specifying tcp and udp ports', '-p 11232 -U 11233', 11232, 11233);
when('specifying tcp and disabling udp', '-p 11242 -U 0', 11242, -1);
Expand Down

4 comments on commit dbb7a8a

@xuy1202
Copy link

@xuy1202 xuy1202 commented on dbb7a8a Mar 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good job~

@random-atom
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good decision, but a change like this should include a comment in the code explaining why the port is set to 0 so that it isn't accidentally "fixed" by someone in the future.

@Beyond-My
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to know why the port is set to 0?

@dormando
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 means off.

Please sign in to comment.