Secure memcached server to avoid DDoS amplification attacks

ADVERTISEMENTS



How to install Memcached server

I am worried that my Memcached server used for DDoS amplification attacks. How do I secure Memcached server on Linux or Unix-like system to avoid an attacker to exploit my Memcached services as an amplification vector, causing unexpected volumes of traffic to be sent to targeted networks?Memcached is a free and open source distributed memory object caching system. One can use it for speeding up dynamic web applications by mitigating database load. The Memcached server is an in-memory key-value store. This pagesystems.

Use the apt-get command/apt command on a Debian/Ubuntu Linux:

$ sudo apt install memcached

If you are using a CentOS/RHEL, try yum command:

$ sudo yum install memcached

Fedora Linux user should use the dnf command:

$ sudo dnf install memcached

How to configure Memcached

You need to edit the following file as per your Linux distro:

Debian/Ubuntu/Mint Linux – /etc/memcached.conf

CentOS/RHEL/Fedora/Oracle Linux – /etc/sysconfig/memcached

For detailed info on memcached configuration see FAQs:

Memcached and DDoS attack

By default memcached server uses TCP/UDP port number 11211. A DDoS (Distributed Denial of Service) amplification attacks performed by exploiting Memcached servers exposed to the public Internet IPv4/IPv6 address. A significant increase in amplification attack vector – using the Memcached protocol, coming from UDP port 11211.

How to secure memcached server

The procedure to secure memecached server is as follows:

1. Configure a firewall

Debian/Ubuntu Linux example

You can use ufw on a Debian/Ubuntu Linux as follows to only allow traffic from 11211 port between to private IP address:

$ sudo ufw allow from 172.16.3.2 to 172.16.3.1 port 11211 proto tcp comment 'Allow memcached tcp port'

### [ uncomment the following if you are using tcp port ] ###

$ #sudo ufw allow from 172.16.3.2 to 172.16.3.1 port 11211 proto udp comment 'Allow memcached udp port'

CentOS/RHEL version 6.x/5.x

If you are using a CentOS/RHEL 6.x/5.x, edit the /etc/sysconfig/iptables:

$ sudo /etc/sysconfig/iptables

Add following INPUT line:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -s 172.16.3.2 -d 172.16.3.1 -j ACCEPT

# uncomment the following if you are using udp

#-A INPUT -m state --state NEW -m udp -p udp --dport 11211 -s 172.16.3.2 -d 172.16.3.1 -j ACCEPT

Save and close the file. Restart the firewall, run:

$ sudo service iptables restart

RHEL/CentOS version 7.x and Fedora Linux

For CentOS/RHEL/Fedora Linux latest version use the following firewall-cmd rule:

# firewall-cmd --permanent --zone=public --add-rich-rule='

rule family="ipv4"

source address="172.16.3.2/24"

port protocol="tcp" port="11211" accept'



Reload the firewall:

# firewall-cmd --reload

2. Disable UDP

To disable UDP and listen to loopback ip 127.0.0.1/172.16.3.1 only add the following to memcached config file on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:

OPTIONS="-U 0 -l 127.0.0.1,172.16.3.1"

Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:

-U 0

-l 127.0.0.1,172.16.3.1

Where,

-U 0 : Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.

: Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed. -l 127.0.0.1,172.16.3.1 : Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.

3. Force memcached to listen on private LAN/VLAN IP address

As discussed above set the -l option.

How do I test my memcached server security settings?

Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server using the nc command/telnet command/nmap command:

$ nc your-public-IP-here 11211

$ nc -u your-public-IP-here 11211

$ telnet your-public-IP-here 11211

$ sudo nmap your-public-IP-here -p 11211 -sU -sS --script memcached-info



Verify open ports with the ss command or netstat command:

$ ss -tulpn | grep :11211

$ netstat -tulpn | grep :11211



A sample firewall message indicating blocked attack

[ 72551.977597 ] [ UFW BLOCK ] IN = eth0 OUT= MAC=f2:3c:91:60:1d:71:00:26:51:c4:00:41:08:00 SRC=184.105.139.71 DST=45.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=55298 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0 [ 74893.874472 ] [ UFW BLOCK ] IN = eth0 OUT= MAC=f2:3c:91:60:1d:71:00:1b:54:c2:50:c1:08:00 SRC=216.75.62.8 DST=45.xxx.xxx.xxx LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=54321 PROTO=TCP SPT=57239 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0 [72551.977597] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:60:1d:71:00:26:51:c4:00:41:08:00 SRC=184.105.139.71 DST=45.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=55298 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0 [74893.874472] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:60:1d:71:00:1b:54:c2:50:c1:08:00 SRC=216.75.62.8 DST=45.xxx.xxx.xxx LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=54321 PROTO=TCP SPT=57239 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0

References:

Memcrashed – Major amplification attacks from UDP port 11211