Jigsaw Security utilizes the FirstWatch sensor to protect not only our network and resources but those of our customers. During the last 2 months we have been seeing large numbers of MemCached attacks being used in DDOS (distributed denial of service) operations.
Memcached is an open source tool that puts frequently used data into memory so that it can be access faster. While this is normally a good thing, it is causing big issues for provides that are being attacked by poorly configured or unpatched servers. There are approximately 112000 servers that are publicly facing and vulnerable. This pool of servers is being heavily utilized to carry out denial of service attacks generating traffic at levels never before seen in these attacks.
The biggest issue with MemCached is that it can be accessed by nearly anybody. As such and like other cloud services, it was created for ease of use with no real security options enabled by default.
Seeing Thousands Per Day
We have been observing thousands of probes per day on TCP and UDP port 11211 indicating that attackers are looking for this service. Jigsaw Security protected networks are NOT vulnerable to this attack. Our advanced protection does not allow this service. The number of probes for the service has been fairly stable for the past few months. We fully anticipate that unless the developers of the application change the default configuration, this attack vector will remain for some time.
How to fix your MemCached Servers
Here are the recommendations for fixing the MemCached servers to ensure that your systems are not being abused by malicious actors:
Bind MemCached to a local interface
Disable UDP
Setup firewall rules to protect your servers whenever possible
Here is a good article on how to secure your servers.