On March 3rd, The National Internet Emergency Response Center of China issued a message about the memcached server to implement DDoS attacks. The memcached server vulnerability was also exploited by hackers. One of my servers also has a vulnerability, so I will share the method of plugging the vulnerability with you.

Principle of Attack

The Memcached reflection attack exploits authentication and design flaws in a large number of Memcached servers, a distributed caching system, that have been exposed on the Internet, By sending UDP packets (stats, SET/GET) with specific instructions to the default port 11211 of the MEMcached server IP address, the attacker can make the memcached server reflect back data several times larger than the original data packets to the IP address of the victim (up to 50,000 times in theory). By continuously tracking and observing the average magnification of attack traffic is about 100 times), so as to carry out reflex attacks.

The Memcached service is supposed to be for internal access only. Therefore, all addresses are accessible and security restrictions are weak. Hackers take advantage of this feature to find Memcached with open ports on the Internet.

The web page caching utility was never designed to be internet-accessible and requires no authentication to access. But some administrators – as well as some Linux instances by default – have left TCP or UDP port 11211 open to internet-borne requests.

Disposal method

The Internet Emergency Response Center offers three suggestions:

1. Configure a firewall policy on the Memcached server or its connected network devices to allow only authorized service IP addresses to access the memcached server and block unauthorized access. 2. Change the listening port of the memcached service to a large port other than 11211 to avoid malicious use of the default port. 3. Upgrade the memcached software to the latest version and enable permission control policies such as SASL authentication. (Add the -enable-SASL option when compiling and installing the memcached program and add the -s parameter when starting the memcached service program. Enable SASL authentication to improve memcached security.

I have analyzed that 1 needs to be adjusted by the unit from the overall network strategy, but this part of the responsibility of the system administrator still needs to be implemented. 2. If you need to modify the port, you must design the modification of the application side, which I think is not the best policy. 3 Upgrade to the latest version. Check whether the application has problems after the upgrade.

After careful analysis, memcached supports a -l argument that allows you to specify the address to listen on. The default is 0.0.0.0, which allows all address links. We can change the -l parameter to bind the local address, which can prevent external attacks. However, there is a problem here. Generally, the cache server is called by the front end or other servers in public. It is usually not used locally, and more than one device is used externally. In earlier versions of Memcached (1.4.4 in my environment), the -l parameter did not support binding multiple addresses. In the latest version 1.5.6, it is possible to bind multiple addresses in the following form:

$. / memcached - l 127.0.0.1:11211192168 0.20:11211 - vv -u memcachedCopy the code

In this way, application modification can be avoided and vulnerabilities can be prevented.

This article is the author’s original, if you think this article is helpful to you, please feel free to tip, your support will encourage me to continue to create.

Reference materials: 1. National Internet Emergency Response Center of China 2. Notification of Memcached server for Reflection DDoS attacks 3. CNCERT notification of Memcached server for reflection DDoS attacks 2