How to secure your Memcached servers & prevent attacks?

Memcached is a popular open-source meant to cache data and reduce strain on heavier data stores, like disk or databases. It is easily deployable distributed caching system that allows objects to be stored in memory and has been designed to work with many open connections. 

Recently security researchers at Cloudflare, Arbor Networks, and Chinese security firm Qihoo 360 identified various activities by hackers widely abusing Memcached servers to amplify their DDoS attack over 51000 times as compared to their original. This could result in thumping down the Internet infrastructure and major websites.

recent memcached/11211 attacks

The DDosMon from Qihoo 360 (https://ddosmon.net/insight/) monitors amplification attack vectors and this chart shows recent memcached/11211 attacks

Root Cause

Memcached server runs over TCP or UDP port 11211.An attacker capable of IP-spoofing can send a large number of forged requests from an illegitimate source to an open Memcached server’s UDP connection. The Memcached server responds to all these forged requests with response packets (generally much larger approx. 1400 bytes). All these responses to an unsuspecting target host by Memcached server end up consuming a huge amount of network resources.

The Memcached servers can be easily exploited by an attacker implanting a large payload and thereafter spoofing the “get” request message with target Source IP. An attacker with limited IP-spoofing capacity can end up generating an attack of 100 times greater than its network capacity with Memcached UDP DDoS.

 

How to Prevent Memcached abuse?

  • Configure a firewall

Ensure that your Memcached service is accessible from trusted hosts and set up a firewall to block all access to the service from the public Internet. The default port used by Memcached is 11211, both TCP and UDP.

  • Disable UDP

Ensure that port 11211 is not open publicly and same the can be checked at https://portchecker.co/. If you are not using Memcached then you can disable it.

  • Restrict Memcached to localhost

One of the easiest ways to prevent your Memcached servers from being abused is to bind Memcached to localhost and disable UDP on source port 11211.

You can adjust the service parameters for Memcached servers.

[CentOS/RHEL Machines] – modify file /etc/sysconfig/Memcached and add binding with -l like OPTIONS=”-l 127.0.0.1″

[Debian and Ubuntu Machines] – The binding can be fixed in file /etc/Memcached.conf like -l 127.0.0.1 

References –
http://memcached.org/
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/