Memory As A Service

I've written and presented on the topic of insecure databases for nearly 2 years now. The example I use the most to demonstrate the problem is MongoDB because it's popular and had terrible defaults. Invariably though the focus of the conversation ends up on MongoDB and not that there are hundreds of thousands of databases on the Internet without any authentication.

So for today I decided to take a look at something else: Memcached. Their website explains it best:

Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Do you operate a website? Does it get a lot of traffic? Then memcached is what you need to speed up response times by caching database lookups, web responses or anything else that takes more than a second to accomplish.

Shodan shows there are more than 130,000 Memcached servers running on the Internet. And they also return a lot of detailed information about their status:

Memcached provides its uptime, version, current number of connections, how much is being stored and much more. For now, I just took a look at the amount of data stored and how much memory is made available. Aggregating all the information from the publicly-available Memcached instances here are some stats:

  • 8 TB of data stored
  • 49,153 PB of memory collectively available

Since Memcached is a caching layer we wouldn't expect to see a lot of data stored in it on a permanent basis (records also usually have an expiration attached). And it doesn't offer advanced querying as a regular database would, which makes navigating the 8 TB of data more difficult than with MongoDB. That being said, there is still a lot of sensitive information that is temporarily stored on these instances. However, there is also a ridiculously giant amount of memory available on public Memcached servers. For people not familiar with petabytes, the total amount of memory advertised is 49,153,000 TB.

The organizations that are hosting the most instances are:

  1. ColoCrossing
  2. GoDaddy
  3. Enzu
  4. Aliyun
  5. Alibaba Advertising

One of the reason for all these publicly accessible instances is the same as with MongoDB: the official, default configuration of Memcached listens on all interfaces. Curiously, the Linux distributions I looked at that are offering Memcached packages provided secure defaults; i.e. only listen on localhost. This means that most likely the above organizations installed Memcached from source.

I hope this has provided some evidence that it's not just MongoDB facing insecure-by-default issues when it comes to data storage services. I could've performed the same analysis as above for Redis, Cassandra, CouchDB or Riak.