How to Secure Memcached Servers and Prevent DDoS Attacks

There is a new DDoS attack prevailing with the use of Memcached. Memcached is an open-source object caching system with the original intent of speeding up dynamic websites. It reduces strain on heavier data stores, like disk or databases.
The vulnerability of Memcached was recently discovered by researchers at Cloudflare, Arbor Networks, and Qihoo 360.
The attacks utilizing Memcached take advantage of the UDP protocol with an attack method known as UDP reflection.

An attacker capable of IP-spoofing is able to send a UDP request to a server to an open Memcached server’s UDP connection. attackers can connect and add to the cache in order to amplify the magnitude of the attack.

In this tutorial, we will take the necessary steps to secure your Memcached server.

Requirements

  • 15 minutes time
  • SSH root access
  • Basic Server Knowledge
  • Firewall

How to secure Memcached servers?

1. Configure firewall

If Memcached needs to be accessed remotely, whitelisting the IPs that are allowed to connect will is the best solution.

Using iptables:

Enter the following commands in CLI

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp -s IP_OF_REMOTE_SERVER/32 --dport 11211 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -P INPUT DROP

After whitelisting the IPs allowed to access Memcached, we must rebind the service to use the interface we wish for it to communicate on.

Ubuntu:

sudo nano /etc/memcached.conf

Change the IP on this line to represent the IP of the interface on your server:

-l x.x.x.x

Then restart the service to apply the settings:

sudo service memcached restart

On CentOS based servers:

nano /etc/sysconfig/memcached

Change the IP following the -l flag to that of your server’s interface:

OPTIONS="-l x.x.x.x -U 0"

Restart the service to apply the settings:

service memcached restart

2. Disable UDP

Memcached server runs over TCP or UDP port 11211. So, the solution is to check that port 11211 is not open publicly.

To disable UDP and listen to loopback ip 127.0.0.1/172.16.3.1 only add the following to memcached config file on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:
OPTIONS="-U 0 -l 127.0.0.1,172.16.3.1"
Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:
-U 0
-l 127.0.0.1,172.16.3.1

Where,

  • -U 0 : Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.
  • -l 127.0.0.1,172.16.3.1 : Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.

References –
http://memcached.org/
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

yoast seo premium free
%d bloggers like this: