What is Memcached
Memcached is a free and open-source memory caching system that uses RAM to store small amounts of data objects(less than 1MB each), reducing database load significantly.
Memcached Exploit
Memcached versions before 1.5.6 had been exploited, so misconfigured Memcached servers could be used to start DDoS attacks.
Cloudflare first reported the attack on Tuesday, the 27th of February, 2018, after noticing a significant increase in DDoS attacks using UDP amplified by Memcached servers.
Cloudflare proved that vulnerable Memcached servers could respond to a single request up to 51,200 times larger than the original request. So, as an example, a 15-byte request could result in a 750kB response (51,200x amplification).
Scary right?
How to check if your Memcached setup is vulnerable
SSH to your server and run the following:echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211
If the response is other than an empty line, then your server can be exploited.
Most affected servers are up to date
Shodan last memcached exploit exposure report showed that there are more than 72,687 machines vulnerable. Source IPs come from the following top hosting providers:
- Alibaba
- OVH
- Amazon
- Cloudradium
- Enzu
- Linode
How to fix the Memcached Exploit
The best way to mitigate the issue is to upgrade to Memcached version 1.5.6. You can also patch your current Memcached by disabling UDP(enabled by default) and allowing listening for requests only to localhost.
You can also globally disable UDP access from the outside to port 11211 through your firewall.
Leave a Reply