Memcached is an open-source distributed memory object caching system which is generic in nature but often used for speeding up dynamic web applications. In the default configuration, memcached listens on port 11211/tcp and (up to including version 1.5.5) also on port 11211/udp.

Problem

memcached servers openly accessible from anywhere on the Internet via UDP are abused for DDoS reflection attacks against third parties on a regular basis. This way, extremely high amplification factors can be achieved which poses a serious security threat.

If a memcached server is openly accessible from the Internet via TCP or UDP and no SASL authentification has been configured, anyone who can connect to the server has unrestricted access to the data stored with it. This allows attackers to modify or delete any data or potentially steal sensitive information like login credentials for web applications or customer data from online shops.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

TCP

To check if a Memcached server is openly accessible from the Internet via TCP, you can use 'netcat' as follows:

$ echo "stats" | netcat 192.168.45.67 11211

An openly accessible Memcached server will return information like this:

STAT pid 1090

STAT uptime 1808125

STAT time 1483622758

STAT version 1.4.14 (Ubuntu)

STAT libevent 2.0.21-stable

STAT pointer_size 64

STAT rusage_user 57.424253

STAT rusage_system 54.322505

STAT curr_connections 5

STAT total_connections 643

STAT connection_structures 9

STAT reserved_fds 20

Otherwise, netcat will return an error message:

netcat: connect to 192.168.45.67 port 11211 (tcp) failed: Connection refused

or

netcat: connect to 192.168.45.67 port 11211 (tcp) failed: Connection timed out

UDP

To check if a Memcached server is openly accessible from the Internet via UDP, you can use 'netcat' as follows:

$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u 192.168.45.67 11211

An openly accessible Memcached server will return information like shown above.

Solution

• Do not expose your Memcached server to the Internet!
• Restrict access to the Memcached server to trusted systems (e. g., the web application server) in the server's configuration and/or by blocking incoming connections from the Internet to ports 11211/tcp and 11211/udp on the firewall.
• The UDP port is usually not required. Start memcached with option '-U 0' to disable it.
• Keep your Memcached installation up-to-date. Install available security updates asap.

Further information

• Cloudflare: Memcrashed - Major amplification attacks from UDP port 11211
• Couchbase: Memcached security
• Cisco Talos Blog: Remotely Exploitable Bugs in Memcached Identified and Patched