Openly Accessible Memcached Server
Memcached is an open source, high-performance, distributed memory object caching system, used in speeding up dynamic web applications by alleviating database load. Memcached caches frequently used data to improve internal access speeds. By default, memcached listens on ports 11211/TCP and 11211/UDP.
A memcached server, openly accessible on the Internet via UDP may be abused for Distributed Reflective Denial-of-Service (DRDoS) attacks against third parties. Extremely high amplification factors can be achieved by combining the functionality of both UDP and memcached to amplify the amount of attack traffic which poses a serious security threat.
If a memcached server is openly accessible from the Internet via TCP or UDP and is using the default insecure configuration, anyone that can connect to the server will have unrestricted access to the data stored with it. An attacker would be able to modify or delete data, steal sensitive information such as login credentials for web applications or customer data from online sources.
To establish if a host has an openly accessible service on the Internet, utility programs included with a standard Linux/Ubuntu distribution can be used. The test should not be run on the host itself or from the local network but instead from a different node on the Internet.
In the following examples, replace the TARGET_IP with the IP address of the memcached host.
To confirm if a memcached server is openly accessible from the Internet via TCP, the utility program netcat can be used as follows: $ echo “stats” | netcat TARGET_IP 11211
An openly accessible memcached server will return information similar to this output:
STAT pid 12716STAT uptime 302STAT time 1581331616STAT version 1.4.25 UbuntuSTAT libevent 2.0.21-stableSTAT pointer_size 64STAT rusage_user 0.000000 STAT rusage_system 0.018605STAT curr_connections 1STAT total_connections 2STAT connection_structures 2STAT reserved_fds 20STAT limit_maxbytes 67108864STAT hash_bytes 524288END
Note: In this example, the numbers of general statistics displayed has been reduced.
If the memcached server is not openly accessible on the Internet, the utility program netcat will return an error message:
$ netcat: connect to TARGET_IP port 11211 (tcp) failed: Connection refused
$ netcat: connect to TARGET_IP port 11211 (tcp) failed: Connection timed out.
To confirm if the memcached server is openly accessible from the Internet via UDP, the utility program netcat can be used as follows:
$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u TARGET_IP 11211
An openly accessible memcached server will return information similar to that which was shown above for TCP.
- Do not expose a memcached server to the Internet.
- Ensure that Simple Authentication and Security Layer (SASL) authentication has been configured and enabled on the memcached server.
- Restrict access to the memcached server to trusted systems in the server’s configuration or within a trusted environment.
- On the firewall, block incoming connections from the Internet to ports 11211/TCP and 11211/UDP.
- Disable the UDP port. UDP is normally not required.
- The command $ memcached -U 0 switches UDP off or you can insert the following parameters, -U 0 at the end of the file /etc/memcached.conf. Restart service to apply changes.
- If remote access is necessary, use a Virtual Private Network (VPN).
- Ensure to keep the nemcached server installation up-to-date. Install security updates and software updates when released.