Preventing DDoS amplification attacks using memcached

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Issue

  • memcached is being used in DDoS amplification attacks
  • I'm concerned about news of DDoS attacks using memcached

Resolution

Red Hat is aware of DDoS (Distributed Denial of Service) amplification attacks being performed by exploiting memcached servers exposed to the public Internet. These attacks take advantage of memcached communication using the UDP protocol for transport. The attack is effective because of the high amplification ratio - a request with the size of a few hundred bytes can generate a response of a few megabytes or even hundreds of megabytes in size. This issue was assigned CVE-2018-1000115.

It should be very rare for a memcached service to need to be exposed to the public Internet. Such exposure may have their own security problems, allowing remote attackers to leak or modify information stored in memcached.

Default memcached configuration in Red Hat products

The memcached packages as shipped with Red Hat Enterprise Linux 6 and 7 use the following default configuration:

  • memcached listens on all network interfaces
  • both TCP and UDP transports are enabled
  • no authentication is required to access memcached
  • the service is not enabled automatically after package installation - it has to be manually enabled or started by the system administrator
  • the default firewall configuration does not allow remote access to memcached

The following actions can be taken to secure memcached installations and prevent their use in DDoS attacks.

Configure a firewall

Set up a firewall to ensure your memcached service is only accessible from the trusted hosts that require access to the service. Block all access to the service from the public Internet.

The default port used by memcached is 11211, both TCP and UDP.

Disable UDP

If your memcached deployment does not depend on the use of UDP transport protocol, disable connections over UDP and only allow TCP connections. This restriction can be achieved using the firewall configuration as noted above, or by configuring memcached to not listen on the UDP port.

If memcached is started with the "-U 0" option, it will not listen on the UDP port. This setting can be made permanent by modifying the OPTIONS value in the /etc/sysconfig/memcached configuration file.

This is the default /etc/sysconfig/memcached configuration in Red Hat Enterprise Linux 6 and 7:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""

UDP transport can be disabled by changing the OPTIONS line to:

OPTIONS="-U 0"

Restrict memcached to localhost

If the memcached service only needs to be accessed from other services running on the same server, restrict the access to memcached from remote. In addition to the firewall configuration as noted above, this can be achieved by configuring memcached to only listen on the loopback interface using the "-l 127.0.0.1" option. This setting can be made permanent by modifying the OPTIONS value in the /etc/sysconfig/memcached configuration file to:

OPTIONS="-l 127.0.0.1"

You can both disable UDP and only listen for connections from local host using the following OPTIONS setting:

OPTIONS="-U 0 -l 127.0.0.1"

Further information

More detailed advice on memcached configuration can be found in this solution.

A recommended good practice to recognize and stop such behaviour is network traffic baseline, analysis, and anomalous traffic alerting/blocking for any systems holding critical information. Network traffic can be managed and inappropriate access can be stopped using tools like iptables and firewalld.

Other security and configuration options for Red Hat products can be found in the documentation and security guides in the Documentation section of the Customer Portal.

Root Cause

Memcached is a high-performance distributed memory object caching system, engineered to store and deliver data objects over the network at blazing speeds. It is meant to greatly speed up web and database applications, and as such is usually deployed in internal, restricted networks. In its default configuration, memcached also services requests over the UDP protocol, without any kind of authentication or verification of the source addresses.

This means that, when exposed to the public Internet, a memcached server with default configuration allows attackers to store large objects in it, and then forge requests from victim IP addresses, achieving a great amplification factor for Distributed Denial of Service (DDoS) attacks.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.