Memcached exploit

There are many websites which deals with large chunks of data like retrieving postal codes of countries, driving license number where the functionality is based on retrieving the most searched items by storing them in a temporary location. This entire scenario is eased by the use of Memcached.

Memcached is one of the temporary data storage service where the data is stored in chunks of memory called Slabs. Each of the slabs contain multiple items and finally, the actual data is stored in these items in : format.
Memcached was designed as a pooling server and to be used via TCP, whereby the default TCP and UDP port is 11211. The pooling process provides us with large ram space and the data present in the items are stored in the form of hash table distributed over multiple machines present in the pool. When the table is full, new entry is added into the table using least recently used (LRU) order.

The memcached server manages the entire data that is stored by the memcached and it maintains integrity by retrieving the data from that server where it was initially stored. The better part is that memcached does not require the reliability of a database as it layers the requests into the ram before falling into secondary storages. Since it is independent of database it is, therefore, safe from SQL injection, but that is not all. Since every pros comes with cons. Similarly, if the memcached server is not configured properly it could be vulnerable to many attacks, which can be very seriously devastating and dangerous. These misconfigured servers are vulnerable to reflection and amplification denial of service attacks (DDoS) via the internet. The limit of the stored value is user configurable in case of memcached but by default it is set to 1MB.

Exposed memcached server are vulnerable to spoofed UDP packet sent to port 11211, which can request the single 1MB value multiple number of times resulting in a massive traffic and a huge amplification factor and hence the name amplification attack. Another such devastating type of attack is the reflection attack where the attacker instead of forwarding the get request to the client directly forwards it to a host of machines, the machines in response reflects the request to the original clients and hence dump the networks by flooding the requests.

In order to reduce these risk, the network infrastructure and the memcached server should be configured by implementing industry standard best current practices such as binding the memcached to a particular source IP only. The greater the protection taken in running the memcached services (like strong firewalls) the lesser is the risk of addition, deletion and updating of the data.

This article is attributed to GeeksforGeeks.org

leave a comment



load comments

Subscribe to Our Newsletter