KNOWNHOST WIKI

User Tools

Site Tools


developmental:memcrashed-what-is-it-memcache

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
developmental:memcrashed-what-is-it-memcache [2018/12/17 19:26]
Daniel P.
developmental:memcrashed-what-is-it-memcache [2020/05/13 13:25]
Karson N. [Installing and Securing Memcached for EasyApache 4 CentOS 7/CPanel Servers: Everything You Need to Know]
Line 1: Line 1:
 ====== Memcrashed: Installing Memcached and Securing Against the Memcached Vulnerability ====== ====== Memcrashed: Installing Memcached and Securing Against the Memcached Vulnerability ======
  
 +\\
 ===== Memcached ===== ===== Memcached =====
  
 Memcached is a memory object caching system for speeding up dynamic web applications... It's open source and has been designed to work with a large number of open connections. Database calls, API calls, or page rendering are a few examples of the arbitrary data results that are stored in memory to alleviate database load. One can see why it has been so popular for caching. Its popularity also means that is potential for use as an attack vector is greater simply because it is more available to weaponize.  Memcached is a memory object caching system for speeding up dynamic web applications... It's open source and has been designed to work with a large number of open connections. Database calls, API calls, or page rendering are a few examples of the arbitrary data results that are stored in memory to alleviate database load. One can see why it has been so popular for caching. Its popularity also means that is potential for use as an attack vector is greater simply because it is more available to weaponize. 
  
 +\\
 ===== Memcrashed ===== ===== Memcrashed =====
  
 A critical vulnerability in Memcached was discovered in February of  2018 that allows attackers to launch and execute powerful DDoS amplification attacks. (( https://nvd.nist.gov/vuln/detail/CVE-2018-1000115 )) This vulnerability has been described as a "new chapter in DDoS attack executions” by Ashley Stephenson, CEO of Corero Network Security. Corero Network Security is the security company that found a 'kill-switch' for these attacks. Here is her complete statement: A critical vulnerability in Memcached was discovered in February of  2018 that allows attackers to launch and execute powerful DDoS amplification attacks. (( https://nvd.nist.gov/vuln/detail/CVE-2018-1000115 )) This vulnerability has been described as a "new chapter in DDoS attack executions” by Ashley Stephenson, CEO of Corero Network Security. Corero Network Security is the security company that found a 'kill-switch' for these attacks. Here is her complete statement:
  
- “Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.” (( https://www.corero.com/company/newsroom/press-releases/corero-network-security-discovers-memcached-ddos-attack-kill-switch-and-also-reveals-memcached-exploit-can-be-used-to-steal-or-corrupt-data/ ))+ “Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.” <sub>%% https://www.corero.com/company/newsroom/press-releases/corero-network-security-discovers-memcached-ddos-attack-kill-switch-and-also-reveals-memcached-exploit-can-be-used-to-steal-or-corrupt-data/ %%</sub>
  
  
Line 19: Line 21:
 We've done a great job taking care of this threat overall as a community, but there is still work to be done. Many reports were previously reporting approximately 95,000 to 100,000 vulnerable servers.  We must remain proactive in identifying these servers and securing them!  We've done a great job taking care of this threat overall as a community, but there is still work to be done. Many reports were previously reporting approximately 95,000 to 100,000 vulnerable servers.  We must remain proactive in identifying these servers and securing them! 
  
 +\\
 ===== Getting Amp'd ===== ===== Getting Amp'd =====
  
Line 37: Line 40:
 These numbers make it incredibly easy to understand why Memcrashed is worrisome and potentially devastating for those that have not secured against it. ((https://christian-rossow.de/articles/Amplification_DDoS.php )) (( https://www.us-cert.gov/ncas/alerts/TA14-017A )) These numbers make it incredibly easy to understand why Memcrashed is worrisome and potentially devastating for those that have not secured against it. ((https://christian-rossow.de/articles/Amplification_DDoS.php )) (( https://www.us-cert.gov/ncas/alerts/TA14-017A ))
  
 +\\
  
 ===== Memcrashed "Kill-Switch" and Data Theft and/or Corruption ===== ===== Memcrashed "Kill-Switch" and Data Theft and/or Corruption =====
Line 66: Line 69:
   service memcached restart   service memcached restart
  
 +\\
 ===== What Can I Do?  ===== ===== What Can I Do?  =====
  
Line 73: Line 77:
 If you are concerned about your Memcached installation, please don't hesitate to open a ticket with Knownhost support so we can check the version and patch/upgrade if necessary.  If you are concerned about your Memcached installation, please don't hesitate to open a ticket with Knownhost support so we can check the version and patch/upgrade if necessary. 
  
 +\\
 ===== How Can I Secure My Memcached Installation By Editing the Existing Configuration?  ===== ===== How Can I Secure My Memcached Installation By Editing the Existing Configuration?  =====
  
Line 80: Line 84:
 First, check to see if your memcached is vulnerable. You can do by checking to see if the configurations either closes UDP or binds to localhost. Below, we first see an insecure instance of Memcached: First, check to see if your memcached is vulnerable. You can do by checking to see if the configurations either closes UDP or binds to localhost. Below, we first see an insecure instance of Memcached:
  
-{{:developmental:memcached-process.png?direct&1200|}}+{{:developmental:memcached-process.png?nolink&1200|}}
  
 Since Memcached versions prior to 1.5.6 listen on INADDR_ANY and run with UDP support enabled by default,  versions older than 1.5.6 are vulnerable. Version 1.5.6 secures this by completely disabling the UDP protocol for default installations.  Since Memcached versions prior to 1.5.6 listen on INADDR_ANY and run with UDP support enabled by default,  versions older than 1.5.6 are vulnerable. Version 1.5.6 secures this by completely disabling the UDP protocol for default installations. 
Line 88: Line 92:
 To secure Memcached by binding it to the localhost, you must edit its configuration file. The file reads as follows in default installations prior to version 1.5.6: To secure Memcached by binding it to the localhost, you must edit its configuration file. The file reads as follows in default installations prior to version 1.5.6:
  
-{{:developmental:securing-memcached-before.png?direct&900|}}+{{:developmental:securing-memcached-before.png?nolink&900|}}
  
 Now compare the image below after I've bound Memcached to localhost: Now compare the image below after I've bound Memcached to localhost:
  
-{{:developmental:securing-memcached-after.png?direct&900|}}+{{:developmental:securing-memcached-after.png?nolink&900|}}
  
 Restart Memcached: Restart Memcached:
Line 100: Line 104:
 Check the process now: Check the process now:
  
-{{:developmental:a-secured-memcached-process.png?direct&1200|}}+{{:developmental:a-secured-memcached-process.png?nolink&1200|}}
  
 We also need to make sure that port 11211 is closed in the firewall: We also need to make sure that port 11211 is closed in the firewall:
  
-{{:developmental:good-memcached-port-not-open-in-fw.png?direct&1200|}}+{{:developmental:good-memcached-port-not-open-in-fw.png?nolink&1200|}}
  
 This shows that all incoming and outgoing UDP/TCP ports are closed for port 11211.  This shows that all incoming and outgoing UDP/TCP ports are closed for port 11211. 
Line 112: Line 116:
 Here is the insecure memcached installation: Here is the insecure memcached installation:
  
-{{:developmental:my-insecure-memcached-netstat.png?direct&900|}}+{{:developmental:my-insecure-memcached-netstat.png?nolink&900|}}
  
 The following shows where I've edited the file to set both options: The following shows where I've edited the file to set both options:
  
-{{:developmental:preferred_memcached_config.png?direct&900|}}+{{:developmental:preferred_memcached_config.png?nolink&900|}}
  
 After restarting memcached with the command 'service memcached restart', I can see that my Memcached installation is secured because it is only listening on localhost and UDP is disabled: After restarting memcached with the command 'service memcached restart', I can see that my Memcached installation is secured because it is only listening on localhost and UDP is disabled:
  
-{{:my-secured-memcached-netstat.png?direct&900|}}+{{:developmental:my-secured-memcached-netstat.png?nolink&900|}}
  
 My running memcached process shows all options set that indicate that the daemon is secured: My running memcached process shows all options set that indicate that the daemon is secured:
  
-{{:developmental:current-running-process-shows-as-secured.png?direct&1200|}}+{{:developmental:current-running-process-shows-as-secured.png?nolink&1200|}}
  
 TCP is not currently considered a high-risk Memcached amplification vector because TCP queries are far less vulnerable to spoofing than UDP queries due the fact that you would also need to spoof TCP header fields relating to the state of the connection. Sending a spoofed TCP packet requires the attacker to guess the sequence number, which cannot be done reliably. (( http://seclists.org/basics/2007/Jul/59 )) TCP is not currently considered a high-risk Memcached amplification vector because TCP queries are far less vulnerable to spoofing than UDP queries due the fact that you would also need to spoof TCP header fields relating to the state of the connection. Sending a spoofed TCP packet requires the attacker to guess the sequence number, which cannot be done reliably. (( http://seclists.org/basics/2007/Jul/59 ))
  
 +\\
  
 ===== Installing and Securing Memcached for EasyApache 4 CentOS 7/CPanel Servers: Everything You Need to Know ===== ===== Installing and Securing Memcached for EasyApache 4 CentOS 7/CPanel Servers: Everything You Need to Know =====
Line 145: Line 149:
 Now, to check to see what version is installed by using telnet as shown in the screenshot below using the command "telnet localhost 11211". Once connected, type 'version' and press //Enter//, and the Memcached version will be returned. If the version is less than 1.5.6, then you will need to secure your memcached installation following the steps below.  Now, to check to see what version is installed by using telnet as shown in the screenshot below using the command "telnet localhost 11211". Once connected, type 'version' and press //Enter//, and the Memcached version will be returned. If the version is less than 1.5.6, then you will need to secure your memcached installation following the steps below. 
  
-{{:developmental:memcached-insecure-version-installed-via-yum.png?direct&600|}}+{{:developmental:memcached-insecure-version-installed-via-yum.png?nolink&800|}}
  
 Now, to secure the installation, use nano to edit the file /etc/sysconfig/memcached: Now, to secure the installation, use nano to edit the file /etc/sysconfig/memcached:
Line 201: Line 205:
 As always, if you have any questions or any trouble with this installation on your Knownhost server, please open a support request and we'll be glad to help! As always, if you have any questions or any trouble with this installation on your Knownhost server, please open a support request and we'll be glad to help!
  
 +\\
 ===== cPanel and Memcached ===== ===== cPanel and Memcached =====
  
 Note that cPanel has memcached and memcache RPMs in their experimental EasyApache 4 repos at this time.  (( https://features.cpanel.net/topic/memcached-in-easyapache4 )) These are not yet secured via SASL authentication, but the statement in their Feature Request seems to indicate that they plan to use SASL to secure Memcached. You may want to watch for these to be moved into the stable repo so that you can replace your Memcached installation with a cPanel-supported installation when that time comes. Until then, make sure to either use a later version of Memcached, or to open a ticket with Knownhost so that we can secure it for you.  Note that cPanel has memcached and memcache RPMs in their experimental EasyApache 4 repos at this time.  (( https://features.cpanel.net/topic/memcached-in-easyapache4 )) These are not yet secured via SASL authentication, but the statement in their Feature Request seems to indicate that they plan to use SASL to secure Memcached. You may want to watch for these to be moved into the stable repo so that you can replace your Memcached installation with a cPanel-supported installation when that time comes. Until then, make sure to either use a later version of Memcached, or to open a ticket with Knownhost so that we can secure it for you. 
  
developmental/memcrashed-what-is-it-memcache.txt · Last modified: 2020/05/29 12:01 by Karson N.