Secure memcached server to avoid DDoS amplification attacks
Posted about 6 years ago 2kLinux or Unix-like system to avoid an attacker to exploit my Memcached services as an amplification vector, causing unexpected volumes of traffic to be sent to targeted networks?
Memcached is a free and open source distributed memory object caching system. One can use it for speeding up dynamic web applications by mitigating database load. The Memcached server is an in-memory key-value store. This page shows how to secure memcached running on a Linux or Unix-like systems.
How to install Memcached server
Use the apt-get command/apt command on a Debian/Ubuntu Linux
$ sudo apt install memcached
If you are using a CentOS/RHEL, try yum command:
$ sudo yum install memcached
Fedora Linux user should use the dnf command:
$ sudo dnf install memcached
How to configure Memcached
You need to edit the following file as per your Linux distro:
- Debian/Ubuntu/Mint Linux – /etc/memcached.conf
- CentOS/RHEL/Fedora/Oracle Linux – /etc/sysconfig/memcached
Memcached and DDoS attack
By default memcached server uses TCP/UDP port number 11211. A DDoS (Distributed Denial of Service) amplification attacks performed by exploiting Memcached servers exposed to the public Internet IPv4/IPv6 address. A significant increase in amplification attack vector – using the Memcached protocol, coming from UDP port 11211.
How to secure memcached server
1. Configure Firewall
DEBIAN/UBUNTU LINUX EXAMPLE
You can use ufw on a Debian/Ubuntu Linux as follows to only allow traffic from 11211 port between to private IP address:
$ sudo ufw allow from 172.16.3.2 to 172.16.3.1 port 11211 proto tcp comment 'Allow memcached tcp port' ### [ uncomment the following if you are using tcp port ] ### $ #sudo ufw allow from 172.16.3.2 to 172.16.3.1 port 11211 proto udp comment 'Allow memcached udp port'
CENTOS/RHEL VERSION 6.X/5.X
If you are using a CentOS/RHEL 6.x/5.x, edit the /etc/sysconfig/iptables:
$ sudo /etc/sysconfig/iptables
Add following INPUT line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -s 172.16.3.2 -d 172.16.3.1 -j ACCEPT # uncomment the following if you are using udp #-A INPUT -m state --state NEW -m udp -p udp --dport 11211 -s 172.16.3.2 -d 172.16.3.1 -j ACCEPT
Save and close the file. Restart the firewall, run:
$ sudo service iptables restart
2. Disable UDP
To disable UDP and listen to loopback ip 127.0.0.1/172.16.3.1 only add the following to memcached config file on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:
OPTIONS="-U 0 -l 127.0.0.1,172.16.3.1"
Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:
-U 0 -l 127.0.0.1,172.16.3.1
Where,
- -U 0 : Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.
- -l 127.0.0.1,172.16.3.1 : Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.
3. Force memcached to listen on private LAN/VLAN IP address
As discussed above set the -l option.
How do I test my memcached server security settings?
Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server using the nc command/telnet command/nmap command:
$ nc your-public-IP-here 11211 $ nc -u your-public-IP-here 11211 $ telnet your-public-IP-here 11211 $ sudo nmap your-public-IP-here -p 11211 -sU -sS --script memcached-info
Result:
sample firewall message indicating blocked attack
[72551.977597] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:60:1d:71:00:26:51:c4:00:41:08:00 SRC=184.105.139.71 DST=45.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=55298 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0 [74893.874472] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:60:1d:71:00:1b:54:c2:50:c1:08:00 SRC=216.75.62.8 DST=45.xxx.xxx.xxx LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=54321 PROTO=TCP SPT=57239 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0