Your Memcached instance may be publicly accessible

[fshmcallister]

We detected that a Memcached instance on {devices} may be accessible remotely. Consider either blocking port 11211 through the WoTT firewall management tool, or re-configure Memcached to only listen on localhost.

part of #198

[fshmcallister]

TITLE
A Memcached instance may be publicly accessible

reconfigure Memcached

TL;DR
A Memcached instance on [DEVICE(S)] may be accessible remotely. This is likely due to use of a default configuration. Disable UDP connections and traffic by blocking port 11211. Alternatively, reconfigure Memcached to only listen on localhost.

FAQ
Memcached is a popular caching service used to help speed up websites. By default, Memcached enables TCP and UDP protocols for communication. Early in 2018, the UDP communication protocol was exploited with several amplification type DDoS attacks taking place on Memcached instances. Unlike TCP, UDP does not establish a handshake which reduces its overhead but leaves it vulnerable to attack. Popular uses of UDP protocols are VOIP and low-latency online games.

It is important to disable UDP connections to your Memcached service in order to secure your [DEVICE] from amplification attacks. You can do this by blocking port 11211 which UDP uses in the /etc/sysconfig/memcached file. Alternatively, you can implement a firewall, but it is preferable to remove the need for UDP altogether. Reconfiguring Memcached to exclusively listen on the localhost is the safest option, although may not be realistic if you wish to allow connections outside your local network. To secure connections from other [DEVICES], configure the Memcached instance to listen to a private IP. Note, these addresses vary by network.

CODE BLOCK (?)

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1 -U 0"

Change the OPTIONS in memcached config file to match the above. -U 0 blocks all UDP and -l 127.0.0.1 forces memcached to listen to localhost only.

Then restart:

$ sudo service memcached restart

[fshmcallister]

Again, this might be a good one to do an article on!

[AlEsmail]

Change title: Memcached instance may be publicly accessible

[fshmcallister]

whoops, thank you

[vpetersson]

Unlike TCP, UDP does not establish a handshake which reduces its overhead but leaves it vulnerable to attack. Popular uses of UDP protocols are VOIP and low-latency online games.

This isn't really relevant here. Also, it isn't true that UDP is vulnerable to this. The attack used was due to a number of factors, but the tl;dr for context was that you could send X bytes and have the server send X*N bytes to a spoofed address. More context here

Anyway, we should probably recommend that they switch to TCP and disable UDP (unless they need UDP for some reason) as the remedy.

[fshmcallister]

FAQ
Memcached is a popular caching service used to help speed up websites. By default, Memcached enables TCP and UDP protocols for communication. Early in 2018, the UDP communication protocol was exploited with several amplification type DDoS attacks taking place on Memcached instances. Unlike TCP, UDP does not need to establish a handshake to send data which reduces its overhead but makes it easier to 'spoof.'

We recommend disabling UDP connections to your Memcached service in favour of TCP connections to secure your [DEVICE] from amplification attacks. You can do this by blocking port 11211 which UDP uses in the /etc/sysconfig/memcached file. Reconfiguring Memcached to exclusively listen on the localhost is the safest option, although may not be realistic if you wish to allow connections outside your local network. To secure connections from other [DEVICES], configure the Memcached instance to listen to a private IP. Note, these addresses vary by network.

[vpetersson]

Let me rewrite this -

Memcached is a popular caching server. By default, Memcached enables TCP and UDP protocols for communication. Early in 2018, an exploit in Memcached's UDP communication was discovered. Using this exploit, an attacker was able to use a publicly exposed Memcached server to relay a payload and attack a 3rd party server/service, leading to large scale attacks across the internet.

We recommend disabling UDP connections to your Memcached service in favor of TCP connections to secure your server(s) from these attacks. You can do this by disabling UDP connections in Mamcache'd config file (often /etc/sysconfig/memcached). Re-configuring Memcached to exclusively listen on the localhost is the safest option, although may not be realistic if you wish to allow connections outside your local network. Depending on your network typology, you may be able to configure Memcached to listen on a private IP that is only accessible from the local network.

[fshmcallister]

Your Memcached instance may be accessible remotely. This is likely due to use of a default configuration. Disable UDP connections and traffic by blocking port 11211. Alternatively, reconfigure Memcached to only listen on localhost.

^ does that make sense in its current form?

[vpetersson]

Feel free to re-format it. I just wanted to reformat parts of it (e.g calling it a server and not service etc).

[fshmcallister]

Happy with that. Should we keep the code block separate by the way? Separated in the main text I wrote above but we can merge it into the FAQ if you feel it fits better there

[vpetersson]

@fshmcallister

Should we keep the code block separate by the way?

let's keep the code block in the "FAQ" section as you did.

Separated in the main text I wrote above but we can merge it into the FAQ if you feel it fits better there

See above. But let's either update the top block or post a new complete post with all the changes.

[fshmcallister]

TITLE
Your Memcached instance may be publicly accessible

TL;DR
Your Memcached instance may be accessible remotely. This is likely due to use of a default configuration. According to [Shodan](\https://www.shodan.io/\), there are over 57,000 publicly exposed Memcached servers on the internet. We recommend that you reconfigure this service to avoid leaking customer data.

FAQ

Memcached is a popular caching server. By default, many Memcached configurations will listen on all interfaces. This may be desirable in some configurations (e.g. when you have other services on the network that needs to talk to Memcached). In that case, we recommend that you create a firewall policy that only allows these servers to access Memcached. If however you only use Memcached locally, we recommend that you reconfigure Memcached to only listen on the loopback (localhost) interface.

We also recommend that you disable UDP (and just use TCP) in Memcached as in early in 2018, an exploit in Memcached's UDP communication was discovered. Using this exploit, an attacker was able to use a publicly exposed Memcached server to relay a payload and attack a 3rd party server/service, leading to large scale attacks across the internet.

To make these changes, edit your Mamcached's config file (often `/etc/sysconfig/memcached`) and make sure to have the following under your 'OPTIONS' section:

```
OPTIONS="-l 127.0.0.1 -U 0"
```

* The '-l 127.0.0.1' means that Memcached will only listen on the loopback interface (i.e. only accessible from within the server)
* '-U 0' disables UDP traffic

When done, restart the server by running:

```
$ sudo service memcached restart
```

Code Snippet

None for now.