Description
This report identifies hosts that have the Memcached key-value store running and accessible on the Internet. Since this service does not support authentication, any entity that can access the Memcached instance can have complete control over the key-value store. In addition, instances of Memcached that are accessible via UDP may be abused in amplification-style denial of service attacks.
Assessment
The entries in this report are hosts that have the Memcached service open towards the internet. This service has a serious vulnerability if which has been patched in version 1.5.6. As you can see in the report, there are lots of hosts which expose a Memcached service older than that. This allows an attacker to perform a DoS amplification attack with an amplification factor of up to 51.000 (!). It is fairly easy to identify this service and version, as well as performing a DoS amplification attack. Therefore, the likelihood is high. The impact of a DoS amplification attack is rated high in this case, because of the massive amplification factor.
Recommendations
- Restrict access to internal networks.
- If remote access is necessary use a VPN.
- Deactivate UDP on the memcached server.
References
Memcached – Homepage
Cloudflare – Memcached DDoS Attack