Internet Accessible Memcached Server

Description

Memcached is an open source, high-performance, distributed memory object caching system, used in speeding up dynamic web applications by alleviating database load. Memcached caches frequently used data to improve internal access speeds.

Memcached listens on port 11211/TCP and port 11211/UDP.

Problem

A memcached server, openly accessible on the Internet via UDP may be abused for a Distributed Denial-of-Service (DRDoS) Reflection/Amplification attack against a third party. Extremely high amplification factors can be achieved by combining the functionality of both UDP and memcached to amplify the amount of attack traffic which poses a serious security threat.

If a memcached server is openly accessible from the Internet via TCP or UDP and is using the default insecure configuration, anyone that can connect to the server will have unrestricted access to the data stored with it. An attacker would be able to modify or delete data, steal sensitive information such as login credentials for web applications or customer data from online sources.

Verification

To establish if a host has an openly accessible service on the Internet, utility programs included with a standard Linux/Ubuntu distribution can be used. The test should not be run on the host itself or from the local network but instead from a different node on the Internet.

In the following examples, replace the TARGET_IP with the IP address of the memcached host.

TCP

To confirm if a memcached server is openly accessible from the Internet via TCP, the utility program netcat can be used as follows:

$ echo “stats” | netcat TARGET_IP 11211

An openly accessible memcached server will return information similar to this output:

STAT pid 12716
STAT uptime 302
STAT time 1581331616
STAT version 1.4.25 Ubuntu
STAT libevent 2.0.21-stable
STAT pointer_size 64
STAT rusage_user 0.000000
STAT rusage_system 0.018605
STAT curr_connections 1
STAT total_connections 2
STAT connection_structures 2
STAT reserved_fds 20
STAT limit_maxbytes 67108864
STAT hash_bytes 524288
END

Note: In this example, the numbers of general statistics displayed has been reduced.

If the memcached server is not openly accessible on the Internet, the utility program netcat will return an error message:

$ netcat: connect to TARGET_IP port 11211 (tcp) failed: Connection refused

or

$ netcat: connect to TARGET_IP port 11211 (tcp) failed: Connection timed out.

UDP

To confirm if the memcached server is openly accessible from the Internet via UDP, the utility program netcat can be used as follows:

$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u TARGET_IP 11211

An openly accessible memcached server will return information similar to that which was shown above for TCP.

Solution

• Do not expose a memcached server to the Internet.
• Ensure that Simple Authentication and Security Layer (SASL) authentication has been configured and enabled on the memcached server.
• Restrict access to the memcached server to trusted systems in the server’s configuration or within a trusted environment.
• On the firewall, block incoming connections from the Internet to ports 11211/TCP and 11211/UDP.
• Disable the UDP port. UDP is normally not required.
• The command $ memcached -U 0 switches UDP off or you can insert the following parameters, -U 0 at the end of the file /etc/memcached.conf. Restart service to apply changes.
• If remote access is necessary, use a Virtual Private Network (VPN).
• Ensure to keep the nemcached server installation up-to-date. Install security updates and software updates when released.

Supplementary Information