HIGH: Open Memcached Report

DESCRIPTION LAST UPDATED: 2023-12-16

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the Memcached key-value store running and accessible on the Internet.

Since this service does not support authentication, any entity that can access the Memcached instance can have complete control over the key-value store. In addition, instances of Memcached that are accessible via UDP may be abused in amplification-style denial of service attacks.

See memcached.org for more information about Memcached.

Track latest Memcached exposure our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filenames: scan_memcached

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the Memcached response came on (TCP/UDP)
  • port
    Port that the Memcached response came from (usually 11211)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be memcached
  • version
    Memcached version number
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • pid
    Process ID (PID) of the running Memcached server instance
  • pointer_size
    The system architecture (32 or 64 bits)
  • uptime
    Number of seconds since Memcached server start
  • time
    The current time and date (in UTC) that Memcached thinks it is at the time the server was probed
  • curr_connections
    The current number of client connections to the Memcached server
  • total_connections
    The total number of client connections to the Memcached server since it was last restarted
  • response_size
    Response size in bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","pid","pointer_size","uptime","time","curr_connections","total_connections","sector","response_size","amplification"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,11211,node01.example.com,memcached,1.2.1,64512,ZZ,Region,City,0,,1660,32,28884,"2022-01-04 09:59:37",1,3542,,389,27.79
"2010-02-10 00:00:01",high,192.168.0.2,tcp,11211,node02.example.com,memcached,1.2.1,64512,ZZ,Region,City,0,,1660,32,28884,"2022-01-04 09:59:37",1,3542,,389,27.79
"2010-02-10 00:00:02",high,192.168.0.3,tcp,11211,node03.example.com,memcached,1.4.37,64512,ZZ,Region,City,0,ptr,6063,64,410442,,6,231,,1360,97.14

Our 130 Report Types