Memcached DDoS and MemCachier
In light of recent DDoS attacks involving memcached servers several customers have asked us about MemCachier’s vulnerability to this type of attack. At MemCachier, we are not vulnerable to these kinds of attacks because we use a custom multi-tenant implementation of the memcached protocol that is optimized for security, reliability, and performance as a cloud service.
How does it work?
This particular attack was possible because the standard memcached implementation allows for UDP requests. An attacker that is able to spoof his or her IP address can send requests on behalf of the victim, who would then get all the responses. In particular an attacker would first store large values (up to 1 MB) at the memcached server and then issue many requests on behalf of the victim to get these large values. This blog post explains the attack in more detail.
What about your memcached server?
If you are running memcached that is older than version 1.5.6 and you have not explicitly turned off the UDP port, then you are vulnerable.
To prevent it you basically need to disable the UDP port of your memcached server. To do this you can edit the systemd service file with
systemctl edit memcached.service --full and make sure memcached is started in ExecStart with the
-U 0 flag. Additionally, if your memcached server is only used by a local process make sure the
-l 127.0.0.1 flag is set as well. The whole line should look something like this:
ExecStart=/usr/bin/memcached -l 127.0.0.1 -U 0 -o modern
After editing the service file you need to restart the memcached server with
sudo systemctl restart memcached
If you are using upstart or some other system instead of systemd check out this guide for how to configure memached.
In addition to closing the the hole one the memcached server itself, you should also revise your firewall policy. Random UDP ports (and not just UDP for that matter) should not be open to the public.
Why are MemCachier’s servers safe?
MemCachier’s memcached implementation does not listen to UDP requests, so is not vulnerable to this form of attack. In addition, MemCachier’s servers only process requests from authenticated clients so a random attacker cannot connect to our servers without valid credentials.
Attacks like this highlight the benefit of using a memcached service like MemCachier because customers don’t need to worry about vulnerabilities or misconfiguration. At MemCachier we have not had a known security vulnerability for the six years we have been operating. Of course we are not totally immune to exploits, but should an issue ever arise we have a professional team that can quickly deal with such annoyances so our customers don’t have to.