Red Hat Summit8.7. Securing the Memcached service
To secure the Memcached caching service against denial-of-service (DoS) attacks and unauthorized access, configure it to accept only local traffic and enable user authentication. This prevents DDoS amplification and ensures only authorized clients access stored data.
Memcached is an open source, high-performance, distributed memory object caching system. It can improve the performance of dynamic web applications by lowering database load.
Memcached is an in-memory key-value store for small chunks of arbitrary data, such as strings and objects, from results of database calls, API calls, or page rendering. Memcached allows assigning memory from underutilized areas to applications that require more memory.
In 2018, vulnerabilities of DDoS amplification attacks by exploiting Memcached servers exposed to the public internet were discovered. These attacks took advantage of Memcached communication that uses the UDP protocol for transport. The attack was effective because of the high amplification ratio, where a request with the size of a few hundred bytes could generate a response of a few megabytes or even hundreds of megabytes in size.
In most situations, you do not need to expose the memcached service to the public internet. Public exposure might cause security problems, making it possible for remote attackers to leak or modify information stored in Memcached.
8.7.1. Memcached hardening against DDoS attacks
Harden the Memcached service against distributed denial-of-service (DDoS) attacks. This helps prevent attackers from overwhelming the service and degrading performance.
To mitigate security risks, perform as many of the following steps as applicable for your configuration:
Configure a firewall in your LAN. If your Memcached server should be accessible only in your local network, do not route external traffic to ports used by the
memcachedservice. For example, remove the default port11211from the list of allowed ports:# firewall-cmd --remove-port=11211/udp # firewall-cmd --runtime-to-permanentIf you use a single Memcached server on the same machine as your application, set up
memcachedto listen to localhost traffic only. Modify theOPTIONSvalue in the/etc/sysconfig/memcachedfile:OPTIONS="-l 127.0.0.1,::1"Enable Simple Authentication and Security Layer (SASL) authentication:
Modify or add the
/etc/sasl2/memcached.conffile:sasldb_path: /path.to/memcached.sasldbAdd an account in the SASL database:
# saslpasswd2 -a memcached -c cacheuser -f /path.to/memcached.sasldbEnsure that the database is accessible for the
memcacheduser and group:# chown memcached:memcached /path.to/memcached.sasldbEnable SASL support in Memcached by adding the
-Svalue to theOPTIONSparameter in the/etc/sysconfig/memcachedfile:OPTIONS="-S"Restart the Memcached server to apply the changes:
# systemctl restart memcached- Add the username and password created in the SASL database to the Memcached client configuration of your application.
Encrypt communication between Memcached clients and servers with TLS:
Enable encrypted communication between Memcached clients and servers with TLS by adding the
-Zvalue to theOPTIONSparameter in the/etc/sysconfig/memcachedfile:OPTIONS="-Z"-
Add the certificate chain file path in the PEM format using the
-o ssl_chain_certoption. -
Add a private key file path using the
-o ssl_keyoption.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}