www.belgium.be Logo of the federal government

Memcached key

Description

This report identifies hosts that have the Memcached key-value store running and accessible on the Internet. Since this service does not support authentication, any entity that can access the Memcached instance can have complete control over the key-value store. In addition, instances of Memcached that are accessible via UDP may be abused in amplification-style denial of service attacks.

Assessment

The entries in this report are hosts that have the Memcached service open towards the internet. This service has a serious vulnerability if which has been patched in version 1.5.6. As you can see in the report, there are lots of hosts which expose a Memcached service older than that. This allows an attacker to perform a DoS amplification attack with an amplification factor of up to 51.000 (!). It is fairly easy to identify this service and version, as well as performing a DoS amplification attack. Therefore, the likelihood is high. The impact of a DoS amplification attack is rated high in this case, because of the massive amplification factor.

Recommendations

  • Restrict access to internal networks.
  • If remote access is necessary use a VPN.
  • Deactivate UDP on the memcached server.

References

Shadow Server – Open Memcached Report

Shadow Server – Memcached Scanning Project

Memcached – Homepage

Cloudflare – Memcached DDoS Attack