Are you facing a Memcached DDOS attack?
This guide will help you.
Memcached Distributed Denial of Service (DDoS) attack is a cyber attack aimed at Memcached, a database caching system designed to speed up websites and networks. It works by flooding a website or application with traffic to crash the servers.
Most of the time the vulnerable Memcached service is there by accident. We can find out if the server is under this attack by analyzing the bandwidth usage pattern.
In this context, we shall look into ways to mitigate Memcached DDOS attack.
Nature of Memcached DDOS attack ?
Memcached is just one service or process that runs on a server. Most of the time the vulnerable Memcached service is there by accident.
Attackers exploit Memcached reflection vulnerabilities to launch large denial-of-service attacks against target organizations.
If we analyze the bandwidth usage pattern, we can find if the server is vulnerable to this attack.
How to resolve Memcached DDOS attack ?
1. Disable UDP
We have to make sure to disable UDP support if unnecessary. By default, Memcached has UDP support enabled, potentially leaving a server vulnerable.
2. Firewall Memcached servers
Firewalling Memcached servers from the Internet helps system administrators to use UDP for Memcached if necessary without exposure.
3. Prevent IP spoofing
Preventing IP spoofing is a larger solution. However, It is not easy to implement by any particular system administrator It requires transit providers to not allow any packets to leave their network that has a source IP address originating outside the network.
In other words, if all major transit providers implemented this type of filtration, spoofing-based attacks would disappear overnight.
4. Develop software with reduced UDP responses
Another possible method is to remove the amplification factor to any incoming request. If the response data sent as a result of a UDP request is smaller than or equal to the initial request, amplification is no longer possible.
How to Disable UDP ?
Furthermore, let us see how our Support Experts disable UDP in detail.
i. For Memcached services on CentOS and Fedora servers, we can adjust the service parameters by editing the /etc/sysconfig/memcached file with vi.
#netstat -plunt | grep memcached
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1916/memcached
tcp6 0 0 :::11211 :::* LISTEN 1916/memcached
udp 0 0 0.0.0.0:11211 0.0.0.0:* 1916/memcached
udp6 0 0 :::11211 :::* 1916/memcached
ii. To secure this we need to disable the Memcache listening to UDP port by editing the Memcached conf:
iii. Similarly, to make Memcached listen to 127.0.0.1 and disable UDP we need to add the below line in /etc/sysconfig/memcached:
OPTIONS=”-l 127.0.0.1 -U 0″
iv. Eventually, save and close the file.
v. Then we restart the Memcached service to apply changes:
sudo service Memcached restart
vi. To verify that Memcached is currently bound to the local interface and listen only for TCP, we run:
netstat -plunt | grep memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1946/memcached
[root@server1 /]# netstat -plunt | grep memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 11985/memcached