Preventing DDoS amplification attacks using memcached [source: redhat]

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Issue

  • memcached is being used in DDoS amplification attacks
  • I’m concerned about news of DDoS attacks using memcached

Resolution

Red Hat is aware of DDoS (Distributed Denial of Service) amplification attacks being performed by exploiting memcached servers exposed to the public Internet. These attacks take advantage of memcached communication using the UDP protocol for transport. The attack is effective because of the high amplification ratio – a request with the size of a few hundred bytes can generate a response of a few megabytes or even hundreds of megabytes in size. This issue was assigned CVE-2018-1000115.

It should be very rare for a memcached service to need to be exposed to the public Internet. Such exposure may have their own security problems, allowing remote attackers to leak or modify information stored in memcached.

Default memcached configuration in Red Hat products

The memcached packages as shipped with Red Hat Enterprise Linux 6 and 7 use the following default configuration:

  • memcached listens on all network interfaces
  • both TCP and UDP transports are enabled
  • no authentication is required to access memcached
  • the service is not enabled automatically after package installation – it has to be manually enabled or started by the system administrator
  • the default firewall configuration does not allow remote access to memcached

The following actions can be taken to secure memcached installations and prevent their use in DDoS attacks.

Configure a firewall

Set up a firewall to ensure your memcached service is only accessible from the trusted hosts that require access to the service. Block all access to the service from the public Internet.

The default port used by memcached is 11211, both TCP and UDP.

Disable UDP

If your memcached deployment does not depend on the use of UDP transport protocol, disable connections over UDP and only allow TCP connections. This restriction can be achieved using the firewall configuration as noted above, or by configuring memcached to not listen on the UDP port.

If memcached is started with the “-U 0” option, it will not listen on the UDP port. This setting can be made permanent by modifying the OPTIONS value in the /etc/sysconfig/memcached configuration file.

For more, click here.

Share