Cache utility memcached is being exploited

Do you have any internet-facing devices running memcached? Security experts warn that systems exposed to the internet and running memcached on port 11211 UDP and TCP are being exploited in a new distributed denial-of-service (DDoS) reflection attack.

The DDoS attacks have impacted networks in Asia, North America and Europe and reached hundreds of gigabits per second, according to The Register.  

Memcached is a tool meant to cache data and reduce strain on heavier data stores, such as disks or databases, but was never intended to be exposed to the internet. Akamai warned that there were 50,000 vulnerable systems detected on the internet running memcached as of Tuesday. 

Akamai provided a good summary on the memcached UDP reflection attack on Tuesday: 

“Akamai is aware of a new DDoS reflection attack vector: UDP-based memcached traffic.  Memcached is a tool meant to cache data and reduce strain on heavier data stores, like disk or databases. The protocol allows the server to be queried for information about key value stores and is only intended to be used on systems that are not exposed to the Internet. There is no authentication required with memcached.  When this is added to the ability to spoof IP addresses of UDP traffic, the protocol can be easily abused as a reflector when it is exposed to the Internet. Akamai has seen multiple attacks, some  in excess of 190 Gbps,  with the potential for much larger attacks.”

Operators of enterprise networks are strongly encouraged to make sure devices that run memcached are placed behind the firewall and turn off UDP.

Barry Greene wrote in his security blog that operators should consider updating their firewalls and Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 11211 for all ingress and egress traffic.

Leave a Reply