What is Memached
Memcached is a free and open source memory caching system which is using RAM to store small amounts of data objects(less than 1MB each) reducing database load significantly.
Memcached Exploit
Memcached versions before 1.5.6 had been exploited so misconfigured memcached servers could be used to start DDoS attacks.
Attack was first reported by Cloudflare on Tuesday the 27th of February 2018 after noticing a significant increase in the number of DDoS attacks using UDP amplified by Memcached servers.
Cloudflare proved that vulnerable memcached servers could response to a single request up to 51,200 times larger than the original request. So as an example a 15-byte request could result in a 750kB response (51,200x amplification).
Scary right?
How to check if your Memcached setup is vulnerable
SSH to your server and run the following:
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211
if the response is other than an empty line then your server can be exploited.
Most affected servers up to date
Shodan last memcached exploit exposure report showed that there are more than 72,687 machines vulnerable. Source IPs come from the following top hosting providers:
- Alibaba
- OVH
- Amazon
- Cloudradium
- Enzu
- Linode
How to fix the Memcached Exploit
Best way to mitigate the issue is to upgrade to Memcached version 1.5.6. You can also patch your current Memcached by disabling UDP(which was enabled bu default) and allow listening for requests only to localhost.
You can also globally disable UDP access from the outside to port 11211 through your firewall.
Leave a Reply