How To Secure Memcached?

Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It’s commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It’s the program that enables them to handle their massive data I/O. It’s also used by many to cache their web-server-session data to speed up their sites — and that’s where the trouble starts.

When a server receives a memcached get request, it collects the requested values from memory to form a response. It then sends over the internet in an uninterrupted stream of multiple UDP packets, each with a length of up to 1,400 bytes.

The attacker can load large values into the data store and then use them in attacks. So, even with just a single megabyte stored value, the attacker uses a spoofed UDP packet request to ask for that 1MB of data to be sent hundreds of times per request over memcached’s default 11211 UDP port.

More info about attack: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

So what can you do?

If you’re running memcached, according to SANS you should harden your memcached server by taking the following steps:

If you’re running memcached, you should also disable UDP support if you are not using it. As a potential victim, you should also close off port 11211.