Memcached, a popular object caching system, is frequently used to reduce response times and the load on components throughout a deployment. The amplification attack targets Memcached deployments exposed on the public network using UDP.
In this tutorial we’ll secure Memcached server from UDP attacks which are common now a days, if you’re not using firewall or the memcached port is closed for the world you’re safe from this attacks.
If your Memcached server is only used by your local server then add the below line which will disable UDP and only listen to localhost IP, which will prevent your server from being exposed on the internet by disabling the UDP protocol. UDP Protocol is now old technology which is not required anymore. TCP is more secure and today all are using it with Memcached.
How to Prevent Memcached abuse?
Configure a firewall :- Ensure that your Memcached service is accessible from trusted hosts and set up a firewall to block all access to the service from the public Internet. The default port used by Memcached is 11211, both TCP and UDP.
Disable UDP :- Ensure that port 11211 is not open publicly and same the can be checked at https://portchecker.co/. If you are not using Memcached then you can disable it.
Restrict Memcached to localhost :- One of the easiest ways to prevent your Memcached servers from being abused is to bind Memcached to localhost and disable UDP on source port 11211. You can adjust the service parameters for Memcached servers.
[CentOS/RHEL Machines] – modify file /etc/sysconfig/Memcached and add binding with -l like OPTIONS=”-l 127.0.0.1″
Edit memcached config file :
Add this line -l 127.0.0.1 -U 0 under OPTIONS=”” quotes like :
** at the end it will look like this :
If your Memcached server is binding with ip, add the following OPTIONS line, which will only disable the UDP protocol:
After that you need to restart the memcached server and done.
[Debian and Ubuntu Machines] – The binding can be fixed in file /etc/Memcached.conf like -l 127.0.0.1
Verify that Memcached is currently bound to the local interface and listening only for TCP by typing:
References –
http://memcached.org/
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
In this tutorial we’ll secure Memcached server from UDP attacks which are common now a days, if you’re not using firewall or the memcached port is closed for the world you’re safe from this attacks.
If your Memcached server is only used by your local server then add the below line which will disable UDP and only listen to localhost IP, which will prevent your server from being exposed on the internet by disabling the UDP protocol. UDP Protocol is now old technology which is not required anymore. TCP is more secure and today all are using it with Memcached.
How to Prevent Memcached abuse?
Configure a firewall :- Ensure that your Memcached service is accessible from trusted hosts and set up a firewall to block all access to the service from the public Internet. The default port used by Memcached is 11211, both TCP and UDP.
Disable UDP :- Ensure that port 11211 is not open publicly and same the can be checked at https://portchecker.co/. If you are not using Memcached then you can disable it.
Restrict Memcached to localhost :- One of the easiest ways to prevent your Memcached servers from being abused is to bind Memcached to localhost and disable UDP on source port 11211. You can adjust the service parameters for Memcached servers.
[CentOS/RHEL Machines] – modify file /etc/sysconfig/Memcached and add binding with -l like OPTIONS=”-l 127.0.0.1″
Edit memcached config file :
Code:
nano /etc/sysconfig/memcached
Add this line -l 127.0.0.1 -U 0 under OPTIONS=”” quotes like :
Code:
OPTIONS="-l 127.0.0.1 -U 0"
Code:
PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1 -U 0"
If your Memcached server is binding with ip, add the following OPTIONS line, which will only disable the UDP protocol:
Code:
OPTIONS="-U 0"
After that you need to restart the memcached server and done.
Code:
service memcached restart
[Debian and Ubuntu Machines] – The binding can be fixed in file /etc/Memcached.conf like -l 127.0.0.1
Verify that Memcached is currently bound to the local interface and listening only for TCP by typing:
Code:
sudo netstat -plunt
Output
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
. . .
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 2383/memcached
. . .
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
. . .
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 2383/memcached
. . .
References –
http://memcached.org/
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/