StatsD often listens on UDP and can be abused for noisy metric injection.
- Bind StatsD to private interfaces only.
- Restrict sender networks with host firewall rules.
- Avoid exposing UDP metric ports publicly.
¶ Abuse and Cardinality Protection
- Apply metric namespace controls to avoid unbounded cardinality.
- Set rate limits or upstream filtering for noisy clients.
- Monitor packet rate anomalies and dropped metrics.