Preventing DDoS amplification attacks using memcached

Resolution

Red Hat is aware of DDoS (Distributed Denial of Service) amplification attacks being performed by exploiting memcached servers exposed to the public Internet. These attacks take advantage of memcached communication using the UDP protocol for transport. The attack is effective because of the high amplification ratio - a request with the size of a few hundred bytes can generate a response of a few megabytes or even hundreds of megabytes in size. This issue was assigned CVE-2018-1000115.

It should be very rare for a memcached service to need to be exposed to the public Internet. Such exposure may have their own security problems, allowing remote attackers to leak or modify information stored in memcached.

Default memcached configuration in Red Hat products

The memcached packages as shipped with Red Hat Enterprise Linux 6 and 7 use the following default configuration:

• memcached listens on all network interfaces
• both TCP and UDP transports are enabled
• no authentication is required to access memcached
• the service is not enabled automatically after package installation - it has to be manually enabled or started by the system administrator
• the default firewall configuration does not allow remote access to memcached

The following actions can be taken to secure memcached installations and prevent their use in DDoS attacks.

Configure a firewall

Set up a firewall to ensure your memcached service is only accessible from the trusted hosts that require access to the service. Block all access to the service from the public Internet.

The default port used by memcached is 11211, both TCP and UDP.

Disable UDP

If your memcached deployment does not depend on the use of UDP transport protocol, disable connections over UDP and only allow TCP connections. This restriction can be achieved using the firewall configuration as noted above, or by configuring memcached to not listen on the UDP port.

If memcached is started with the "-U 0" option, it will not listen on the UDP port. This setting can be made permanent by modifying the OPTIONS value in the /etc/sysconfig/memcached configuration file.

This is the default /etc/sysconfig/memcached configuration in Red Hat Enterprise Linux 6 and 7:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""

UDP transport can be disabled by changing the OPTIONS line to:

OPTIONS="-U 0"

Restrict memcached to localhost

If the memcached service only needs to be accessed from other services running on the same server, restrict the access to memcached from remote. In addition to the firewall configuration as noted above, this can be achieved by configuring memcached to only listen on the loopback interface using the "-l 127.0.0.1" option. This setting can be made permanent by modifying the OPTIONS value in the /etc/sysconfig/memcached configuration file to:

OPTIONS="-l 127.0.0.1"

You can both disable UDP and only listen for connections from local host using the following OPTIONS setting:

OPTIONS="-U 0 -l 127.0.0.1"

Further information

More detailed advice on memcached configuration can be found in this solution.

A recommended good practice to recognize and stop such behaviour is network traffic baseline, analysis, and anomalous traffic alerting/blocking for any systems holding critical information. Network traffic can be managed and inappropriate access can be stopped using tools like iptables and firewalld.

Other security and configuration options for Red Hat products can be found in the documentation and security guides in the Documentation section of the Customer Portal.