In 2018 we have seen a large number of DDoS attacks making use of unsecured memcached services running on the internet.  On some Linux distributions memcached servers default to listening on all network interfaces, including those facing the internet.  Exposing the service puts servers at risk of participating in an amplification attack and may expose some sensitive information stored by the application using memcached. This attack queries memcached servers for large results using a fake source address. This request causes the response to go back to the faked address, resulting in a large amount of data being sent to a computer that did not request it. This effect, when used with thousands of memcached servers, directs a very large amount of traffic to a single IP to form an efficient distributed attack.

If you are using memcached only with an application running on the same server, you should configure the service to listen only on the local interface so that it can never be exposed on the internet.  To do this:

On CentOS:

1. Edit the file /etc/sysconfig/memcached
2. Find the line that begins with OPTIONS= and add -l 127.0.0.1 between the quotation marks.
3. If there is no such line, add one that says OPTIONS="-l 127.0.0.1"
4. Restart the service by running the command

   service memcached restart

On Debian or Ubuntu:

1. Edit the file /etc/memcached.conf
2. Find the line that begins with -l and make sure it reads -l 127.0.0.1 
3. If there is no such line, add one at the end of the file that says -l 127.0.0.1
4. Restart the service by running the command

   service memcached restart

If you are running an application on another server that needs to connect to memcached, you should configure the server firewall to only accept connections on port 11211 from IP address ranges of application servers that need to connect to this server.

If you aren't using memcached, you should remove or disable the software. To remove it:

On CentOS:

yum remove memcached

On Debian or Ubuntu:

apt-get remove memcached

For advice on how to adjust a server to prevent memcached amplification, or any other questions about the topics discussed in this article, please visit our Help Desk or email us.  memcached is not supported software, but our support team can assist with firewall and package management to disable or restrict access to it.