How To Secure Memcached?
Posted by Arvydas B., Last modified by Arvydas B. on 06 March 2018 01:25 PM

Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It's commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It's the program that enables them to handle their massive data I/O. It's also used by many to cache their web-server-session data to speed up their sites -- and that's where the trouble starts.

When a server receives a memcached get request, it collects the requested values from memory to form a response. It then sends over the internet in an uninterrupted stream of multiple UDP packets, each with a length of up to 1,400 bytes.

Attacker can load large values into the data store and then use them in attacks. So, even with just a single megabyte stored value, the attacker uses a spoofed UDP packet request to ask for that 1MB of data to be sent hundreds of times per request over memcached's default 11211 UDP port.

More info about attack:

 So what can you do?

If you're running memcached, according to SANS you should harden your memcached server by taking the following steps:

  1. Open /etc/memcached.conf in a text editor
  2. Locate the -m parameter
  3. Change its value to at least 1GB
  4. Locate the -l parameter
  5. Change its value to or localhost
  6. Save your changes to memcached.conf and exit the text editor
  7. Restart memcached

If you're running memcached, you should also disable UDP support if you are not using it. As a potential victim, you should also close off port 11211.

(0 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).