Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It's commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It's the program that enables them to handle their massive data I/O. It's also used by many to cache their web-server-session data to speed up their sites -- and that's where the trouble starts.
When a server receives a memcached get request, it collects the requested values from memory to form a response. It then sends over the internet in an uninterrupted stream of multiple UDP packets, each with a length of up to 1,400 bytes.
Attacker can load large values into the data store and then use them in attacks. So, even with just a single megabyte stored value, the attacker uses a spoofed UDP packet request to ask for that 1MB of data to be sent hundreds of times per request over memcached's default 11211 UDP port.
More info about attack: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
So what can you do?
If you're running memcached, according to SANS you should harden your memcached server by taking the following steps:
- Open /etc/memcached.conf in a text editor
- Locate the -m parameter
- Change its value to at least 1GB
- Locate the -l parameter
- Change its value to 127.0.0.1 or localhost
- Save your changes to memcached.conf and exit the text editor
- Restart memcached
If you're running memcached, you should also disable UDP support if you are not using it. As a potential victim, you should also close off port 11211.