Red Hat released security guidance that addresses recent Distributed Denial of Service (DDoS) amplification attacks being performed by attackers who are exploiting vulnerable memcached systems exposed to the internet.
Attackers are exploiting memcached communication, which uses the UDP protocol transport over default port 11211. Once an attack is successful, remote attackers can then leak or modify information stored in memcached.
Red Hat products affected by the memcached vulnerability (CVE-2018-1000115) include Red Hat Enterprise Linux versions 6 and 7.
According to the Red Hat knowledgebase article, “The attack is effective because of the high amplification ratio – a request with the size of a few hundred bytes can generate a response of a few megabytes or even hundreds of megabytes in size.”
Memcached is a tool meant to cache data and reduce strain on heavier data stores, such as disks or databases, but was never intended to be exposed to the internet.
Red Hat recommends the following safeguards to secure memcached installations and prevent their use in DDoS attacks:
- Configure a firewall: “Set up a firewall to ensure your memcached service is only accessible from the trusted hosts that require access to the service. Block all access to the service from the public Internet.”
- Disable UDP: “If your memcached deployment does not depend on the use of UDP transport protocol, disable connections over UDP and only allow TCP connections. This restriction can be achieved using the firewall configuration as noted above, or by configuring memcached to not listen on the UDP port.”
- Restrict memcached to localhost: “If the memcached service only needs to be accessed from other services running on the same server, restrict the access to memcached from remote.” (e.g., only listen on the loopback interface using the “-l 127.0.0.1” option).
Red Hat also provided a “How to install and configure memcached” page to help with more technical guidelines and verified solution.