How To Secure Memcached?

Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It’s commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It’s the program that enables them to handle their massive data I/O. It’s also used by many to cache their web-server-session data to speed up their sites — and that’s where the trouble starts.

When a server receives a memcached get request, it collects the requested values from memory to form a response. It then sends over the internet in an uninterrupted stream of multiple UDP packets, each with a length of up to 1,400 bytes.

The attacker can load large values into the data store and then use them in attacks. So, even with just a single megabyte stored value, the attacker uses a spoofed UDP packet request to ask for that 1MB of data to be sent hundreds of times per request over memcached’s default 11211 UDP port.

So what can you do?

If you’re running memcached, according to SANS you should harden your memcached server by taking the following steps:

  1. Open /etc/memcached.conf in a text editor
  2. Locate the -m parameter
  3. Change its value to at least 1GB
  4. Locate the -l parameter
  5. Change its value to 127.0.0.1 or localhost
  6. Save your changes to memcached.conf and exit the text editor
  7. Restart memcached

If you’re running memcached, you should also disable UDP support if you are not using it. As a potential victim, you should also close off port 11211.

Was this article helpful?

Need support?

If you need any further help, don't hesitate to send a support request to our support team.