Only one week after a massive DDoS attack knocked GitHub offline, a new attack dubbed “Memcrash” used the same methods to hack a U.S. service provider by targeting memcached servers. In this case where almost 100,000 memcached servers were attacked, hackers used the memcached protocol, which enabled them to target UDP port 11211. Unsecured, exposed ports enabled hackers to implant large payloads on an exposed memcached server. As with most attacks, once in, damage can be done swiftly.
The magnitude of this kind of attack is something we just haven’t seen before. Because memcached is specifically designed to cache databases so websites and networks can speed performance, it also can dramatically increase the rapidity with which attacks occur by a factor of as much as 51,000.
In attacking UDP port 12111, attackers were able to implant a large payload on an exposed memcached server. Then, the attacker spoofs the “get” request message with target source IP. The lesson for any organization running memcached servers is, among other things, that it’s critical to be both rigorous in making authentication controls and passwords mandatory, but also have to use specifically designed controls to ensure UDP port 11211 is not exposed publicly.
From what we can tell now, AWS ElastiCache is most likely not affected by this attack, and even in cases where it is, the risk is very low. Even if an environment allowed Security Groups that are attached to ElastiCache to access an instance publicly (allow 0.0.0.0/0), ElastiCache clusters do not have a public IP address, and therefore cannot be accessed outside of the VPC.
Any organization running a memcached server should do two things: first, run AWS ElasticCache in VPC; and secondly, employ the Evident.io custom signature which will help you ensure that your memcached instances/clusters are not exposed.
Use our Evident.io custom signature to ensure that all of your ElastiCache clusters are deployed in VPC. If you deploy your own memcached servers/clusters on EC2, you can ensure that they’re not vulnerable by copying and customizing one of our security group port check signature (steps below):
- Go to ESP > Control Panel (top right corner)
- Select Signatures from the left navigation menu
- Click on “Search (Close)“
- Under Name field, put “Global Admin Port Access“, and hit “Search“
- Click on “Copy and Customize“
You want to change the options (line 46) to something like:
If you use custom ports, you can add your custom port to the list.
Stay safe out there. If you need help, just reach out.