Advisory : Bind Memcache to 127.0.0.1 and Disable UDP

On February 27, 2018, Cloudflare posted a story about a severe increase in the volume of memcached amplification attacks. Memcached, a popular object caching system, is frequently used to reduce response times and the load on components throughout a deployment. The amplification attack targets Memcached deployments exposed on the public network using UDP.

Securing Memcached on Ubuntu and Debian Servers

By Default memcache is listening to TCP and UDP, you can verify it using the below command

#sudo netstat -plunt | grep memcached
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      1243/memcached
udp        0      0 127.0.0.1:11211         0.0.0.0:*                           1243/memcached

For Securing this we need to disable the memcache listening to UDP port by editing the memcahed conf(/etc/memcached.conf)

sudo nano /etc/memcached.conf


By default, Ubuntu and Debian bind Memcached to the local interface 127.0.0.1. Installations bound to 127.0.0.1 are not vulnerable to amplification attacks from the network. Check that the -l option is set to this address to confirm the behavior:

/etc/memcached.conf
-l 127.0.0.1
. . .


To disable UDP we need to add the below line in /etc/memcached.conf

/etc/memcached.conf
-U 0

When you are finished, save and close the file.

Restart your Memcached service to apply your changes:

sudo service memcached restart
Verify that Memcached is currently bound to the local interface and listening only for TCP by typing


sudo netstat -plunt | grep memcached
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      1891/memcached


You should see memcached bound to the 127.0.0.1 address using only TCP.


Securing Memcached on RHEL and CentOS Servers


For Memcached services running on CentOS and Fedora servers, you can adjust the service parameters by editing the /etc/sysconfig/memcached file with vi, for instance:


#netstat -plunt | grep memcached
tcp        0      0 0.0.0.0:11211           0.0.0.0:*               LISTEN      1916/memcached
tcp6       0      0 :::11211                :::*                    LISTEN      1916/memcached
udp        0      0 0.0.0.0:11211           0.0.0.0:*                           1916/memcached
udp6       0      0 :::11211                :::*                                1916/memcached

For Securing this we need to disable the memcache listening to UDP port by editing the memcahed conf(/etc/sysconfig/memcached)

vi /etc/sysconfig/memcached


To make memcached to listen to 127.0.0.1 and disable UDP we need to add the below line in /etc/sysconfig/memcached

/etc/sysconfig/memcached
OPTIONS="-l 127.0.0.1 -U 0"


When you are finished, save and close the file.

Restart your Memcached service to apply your changes:

sudo service memcached restart


Verify that Memcached is currently bound to the local interface and listening only for TCP by typing


netstat -plunt | grep memcached
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      1946/memcached

You should see memcached bound to the 127.0.0.1 address using only TCP