Stuck with a Memcached DDOS attack? We can help you.

Most of the time the vulnerable Memcached service is there by accident. We can find out if the server is under this attack by analyzing the bandwidth usage pattern.

As part of our Server Management Services, we assist our customers with several such attacks.

Today, let us see how our Support Engineers work in order to prevent the Memcached DDOS attack.

Memcached DDOS attack

Memcached is just one service or process that runs on a server. Most of the time the vulnerable Memcached service is there by accident.

Attackers exploit Memcached reflection vulnerabilities to launch large denial-of-service attacks against target organizations.

If we analyze the bandwidth usage pattern, we can find if the server is vulnerable to this attack.

Solutions to prevent Memcached DDOS attack

• Disable UDP

We have to make sure to disable UDP support if unnecessary. By default, Memcached has UDP support enabled, potentially leaving a server vulnerable.

• Firewall Memcached servers

Firewalling Memcached servers from the Internet helps system administrators to use UDP for Memcached if necessary without exposure.

• Prevent IP spoofing

Preventing IP spoofing is a larger solution. However, It is not easy to implement by any particular system administrator It requires transit providers to not allow any packets to leave their network that has a source IP address originating outside the network.

In other words, if all major transit providers implemented this type of filtration, spoofing-based attacks would disappear overnight.

• Develop software with reduced UDP responses

Another possible method is to remove the amplification factor to any incoming request. If the response data sent as a result of a UDP request is smaller than or equal to the initial request, amplification is no longer possible.

Disable UDP

Furthermore, let us see how our Support Techs disable UDP in detail.

For Memcached services on CentOS and Fedora servers, we can adjust the service parameters by editing the /etc/sysconfig/memcached file with vi.

For instance,

#netstat -plunt | grep memcached
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1916/memcached
tcp6 0 0 :::11211 :::* LISTEN 1916/memcached
udp 0 0 0.0.0.0:11211 0.0.0.0:* 1916/memcached
udp6 0 0 :::11211 :::* 1916/memcached

To secure this we need to disable the Memcache listening to UDP port by editing the Memcached conf:

vi /etc/sysconfig/memcached

Similarly, to make Memcached listen to 127.0.0.1 and disable UDP we need to add the below line in /etc/sysconfig/memcached

/etc/sysconfig/memcached
OPTIONS=”-l 127.0.0.1 -U 0″

Eventually, save and close the file.

Then we restart the Memcached service to apply changes:

sudo service Memcached restart

To verify that Memcached is currently bound to the local interface and listen only for TCP, we run:

netstat -plunt | grep memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1946/memcached

[root@server1 /]# netstat -plunt | grep memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 11985/memcached

[Still, stuck with the attack? We’d be happy to resolve them for you]

Conclusion

In short, Memcached DDOS attacks occur mostly by accident. In order to prevent it, our Support Techs suggest to Disable UDP, Firewall Memcached servers, etc.