Memcached is a popular open-source meant to cache data and reduce strain on heavier data stores, like disk or databases. It is easily deployable distributed caching system that allows objects to be stored in memory and has been designed to work with many open connections.Recently security researchers at Cloudflare, Arbor Networks, and Chinese security firm Qihoo 360 identified various activities by hackers widely abusing Memcached servers to amplify their DDoS attack over 51000 times as compared to their original. This could result in thumping down the Internet infrastructure and major websites.The DDosMon from Qihoo 360 (https://ddosmon.net/insight/) monitors amplification attack vectors and this chart shows recent memcached/11211 attacks
Root Cause
Memcached server runs over TCP or UDP port 11211.An attackercapable of IP-spoofing can send a large number of forged requests from an illegitimate source to an open Memcachedserver’s UDP connection. TheMemcachedserverresponds to all these forged requests with response packets (generally much larger approx. 1400 bytes). All these responses to an unsuspecting target host byMemcachedserver end up consuming a huge amount of network resources.TheMemcachedservers can be easily exploited by an attacker implanting a large payloadand thereafter spoofing the "get" request message with target Source IP.An attacker with limited IP-spoofing capacity can end up generating an attack of 100 times greater than its network capacity withMemcachedUDP DDoS.
How to Prevent Memcached abuse?
- Configure a firewall
Ensure that your Memcached service is accessible from trusted hosts and set up a firewall to block all access to the service from the public Internet. The default port used by Memcached is 11211, both TCP and UDP.
- Disable UDP
Ensure that port 11211 is not open publicly and same the can be checked at https://portchecker.co/. If you are not using Memcached then you can disable it.
- Restrict Memcached to localhost
One of the easiest ways to prevent your Memcached servers from being abused is to bind Memcached to localhost and disable UDP on source port 11211.You can adjust the service parameters for Memcached servers.
[CentOS/RHEL Machines] - modify file /etc/sysconfig/Memcached and add binding with -l like OPTIONS="-l 127.0.0.1"
[Debian and Ubuntu Machines] - The binding can be fixed in file /etc/Memcached.conf like -l 127.0.0.1
References – http://memcached.org/https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/