On March 6, 2018, Alibaba Cloud Security Center discovered that some hackers exploited a Memcached service vulnerability to initiate malicious attacks on the Internet. If customers enable UDP by default without configuring access control, this vulnerability may be exploited by hackers when the Memcached service is running, causing consumption of bandwidth or CPU resources in the outbound direction.
Alibaba Cloud ApsaraDB for Memcache does not use UDP, and therefore is not affected by the vulnerability by default. We recommend that you pay attention to your services and start emergency troubleshooting.
Memcached services that are created by users and that open the Memcached UDP Port 11211 to the Internet
Follow these steps to perform troubleshooting:
Test on the Internet whether Memcached UDP Port 11211 is opened to the Internet. You can use the nc tool to test the port and check whether the Memcached process is running on the server. The test method is as follows:
Run the following command to test the port:
nc -vuz IP address 11211
Run the following command to test whether the Memcached service is opened to the Internet:
telnet IP address 11211
If Memcached UDP Port 11211 is opened to the Internet, the server may be vulnerable.
Run the following command to check the process status:
ps -aux | grep memcached
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u IP address 11211command and view the returned message. If the returned message is not empty, your server may be vulnerable.
If you are using the Memcached service and UDP Port 11211 is enabled for access from the Internet, we recommend that you disable UDP Port 11211 in the Internet inbound direction by setting a security group policy or other firewall policies on your ECS instance based on your service situations. Thus, the Memcached server and Internet cannot communicate over UDP.
We recommend that you add the
-U 0parameter and restart the Memcached service to completely disable UDP.
Memcached has released the latest version in which Memcached UDP Port 11211 is disabled by default. We recommend that you upgrade Memcached to the latest version 1.5.6. The sha value used for file integrity verification is
We recommend that you perform security hardening on the running Memcached service.
For example, enable binding the local listening IP addresses, disable access to the Internet, disable UDP, and enable security features such as logon authentication to improve Memcached security. For more information, see Memcached service security hardening.
Follow these steps to verify the server repair measures:
If you have disabled TCP Port 11211 from the Internet, run the
telnet ip 11211command on an office computer on the Internet. If a message indicating a connection failure is returned, TCP Port 11211 has been disabled successfully.
If you have disabled Memcached UDP, run the following command to check whether Memcached UDP has been disabled successfully:
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u IP address 11211
If the returned message is empty, Memcached UDP has been disabled successfully on your server. You can also run the
netstat -an | grep udpcommand to check whether Memcached UDP Port 11211 is in the listening state. If the port is not in the listening state, Memcached UDP has been disabled successfully.