Memcached UDP Reflection Attack Vulnerability

Time:2019-4-7

Problem record

At noon today, a colleague responded that a system opened very slowly, thinking it was a computer problem (snickering manually). Open the website, slow even static files are several KB / S speed. This is obviously unreasonable. Check on the server, CPU is normal, memory is normal, Web programs are normal.

The problem of network bandwidth comes to mind. usevnstat -i eth1 -lAt first glance, stunned, the bandwidth reached 162.44 Mbit/s. Isn’t it attacked?

Memcached UDP Reflection Attack Vulnerability

Continue to useiftopSee which program occupies the network.

Memcached UDP Reflection Attack Vulnerability

The discovery of Memcache indicates that there is a problem with Memcache. Our application does not operate on Memcache in many places and there are no exceptions, so it is speculated that Memcache has been attacked, and it is caused by the UDP reflection attack vulnerability which was very popular recently.
So we added the Memcache startup parameter-U 0After restarting, the traffic will be normal. The following is detailed information about the vulnerability and specific solutions.

Vulnerability description

Memcached is a common key/value caching system. Because it has no privilege control module, Memcached services open to the network are easy to be scanned by attackers. This kind of attack mainly uses UDP ports of Memcached protocol to attack. By sending forged IP spoofing requests to Memcached servers which are supported by UDP protocol, Memcached servers send a large number of response messages to the target attack host, thus occupying a large amount of bandwidth resources of the target attack machine, leading to denial of service.

Investigation plan

  1. To test whether the Memcached 11211 UDP port is open to the outside world from the external Internet, use NC tools to test the port, and check whether the memcached process is running on the server, the specific test methods are as follows:

    Test port:Nc-vuz IP address 11211
    Test whether memcached services are open to the public:Telnet IP address 11211If port 11211 is opened, it may be affected
    Check process status:ps -aux | grep memcached

  2. UseEcho-en " X00 X00 X00 X00 X00 X00 X00 X01 X00 x00stats \ r n" | NC u IP address 11211The command looks at the returned content, and if the returned content is not empty, it indicates that the server may be affected.

Vulnerability Solution

  1. If the 11211 UDP port is opened, the UDP 11211 port is blocked by firewall strategy to ensure that the Memcached server and the Internet can not be accessed through UDP.
  2. It is recommended that you add-U 0Parameters and restart memcached service completely disable UDP;
  3. Memcached has officially released a new version that disables UDP 11211 port by default and can be upgraded to the latest version.
  4. Enhance the security of Memcached services in operation, such as: start binding local IP monitoring, prohibit external access, disable UDP protocol, enable login authentication and other security functions, improve the security of Memcached;

Safety Reinforcement Scheme

  1. Regular upgrades, using the latest official version of Memcached
  2. Configuration access control

    Do not publish services to the Internet and be exploited by hackers, you caniptablesConfigure access control rules. For example, inLinuxRunning commands in the environmentiptables -A INPUT -p tcp -s 192.168.0.2 -dport 11211 -j ACCEPTIniptablesAdding this rule only allows192.168.0.2This IP accesses port 11211.

  3. Binding listener IP

    If Memcached is not necessary to be open to the public network, the binding IP address can be specified at Memcached startup as 127.0.0.1. For example, run the following commands in a Linux environment:

    memcached -d -m 1024 -u memcached -l 127.0.0.1 -p 11211 -c 1024 -P /tmp/memcached.pid
  4. Run the Memcached service with a minimum privilege account

    Run with a normal permission account, specifying the Memcached user. For example, run the following commands in a Linux environment to run Memcached:

    memcached -d -m 1024 -u memcached -l 127.0.0.1 -p 11211 -c 1024 -P /tmp/memcached.pid
  5. Enable Authentication Function

    Memcached itself does not do validation access module, Memcached from version 1.4.3, can support SASL authentication.

  6. Modify the default port

    Modify the default 11211 listening port to 11222 port. Run the following commands in a Linux environment:

    memcached -d -m 1024 -u memcached -l 127.0.0.1 -p 11222 -c 1024 -P /tmp/memcached.pid

Reference material

  • [Important Security Early Warning] Memcached is used for UDP reflection attack vulnerability early warning
  • A short story to understand the Memcached vulnerability

Original address: https://shockerli.net/post/me…
For more articles, please visit my personal blog: https://shockerli.net