This form logs you into your management portal account. To access your help desk account, click here and use the form to the right of the news.
Preventing memcached Amplication Attacks
Posted by Kevin Stange, Last modified by Kevin Stange on 26 June 2018 03:12 PM
|
|
In 2018 we have seen a large number of DDoS attacks making use of unsecured memcached services running on the internet. On some Linux distributions memcached servers default to listening on all network interfaces, including those facing the internet. Exposing the service puts servers at risk of participating in an amplification attack and may expose some sensitive information stored by the application using memcached. This attack queries memcached servers for large results using a fake source address. This request causes the response to go back to the faked address, resulting in a large amount of data being sent to a computer that did not request it. This effect, when used with thousands of memcached servers, directs a very large amount of traffic to a single IP to form an efficient distributed attack. If you are using memcached only with an application running on the same server, you should configure the service to listen only on the local interface so that it can never be exposed on the internet. To do this: On CentOS:
On Debian or Ubuntu:
If you are running an application on another server that needs to connect to memcached, you should configure the server firewall to only accept connections on port 11211 from IP address ranges of application servers that need to connect to this server. If you aren't using memcached, you should remove or disable the software. To remove it: On CentOS: yum remove memcached On Debian or Ubuntu: apt-get remove memcached For advice on how to adjust a server to prevent memcached amplification, or any other questions about the topics discussed in this article, please visit our Help Desk or email us. memcached is not supported software, but our support team can assist with firewall and package management to disable or restrict access to it. | |
|