Open port 11211: Memcached
What this means
Memcached is a high-performance, distributed memory caching system used to speed up dynamic web applications by reducing database load.
By default, Memcached runs on port 11211 and is intended for use within a trusted network.
An “open” Memcached port means that this service is exposed to an untrusted network without proper access controls, making it accessible to anyone.
Why this is a problem
An open Memcached port means that the service is accessible from the internet or an internal network without proper security controls.
If Memcached is not secured or misconfigured, it can lead to:
- DDoS amplification attacks where attackers can exploit the UDP protocol of Memcached to amplify traffic and overwhelm a target system, leading to large-scale denial-of-service attacks
- unauthorised data access if Memcached stores sensitive data, an exposed port may allow attackers to retrieve cached information, leading to data leaks
- server resource exhaustion where malicious actors may abuse an open Memcached instance to store excessive data, causing memory exhaustion and potential service disruptions
How to check if the problem is there
Check Open HTTPS Ports
Run the following command to check if Memcached ports are open.
Windows (Command Prompt):
netstat -an | find ":11211"
Linux/Mac (Terminal):
sudo netstat -tulnp | grep ":11211"
How to fix this
To mitigate attacks against Memcached, an administrator can take the following steps to block access or reduce the attack surface.
Restrict network access
Restrict network access by carrying out the following:
- configure firewall rules to allow connections only from trusted IP addresses
- change the default port
- disable or uninstall services if not required
Consider VPN or internal networking
If remote access is needed, consider using a VPN or setting up a private network instead of exposing the port to the public internet.
Regularly monitor logs
Enable server logging to track failed login attempts and unauthorised access.