Ensure that Google Cloud VPC network firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP and/or UDP port 11211 in order to reduce the attack surface and protect the Memcached cache server instances associated with your firewall rules. Memcached is an open source, high-performance, distributed memory object caching system, intended for use in speeding up dynamic websites and web applications by alleviating database load.
Allowing unrestricted access on TCP and/or UDP port 11211 to your virtual machine instances through VPC network firewall rules can increase opportunities for malicious activities such as DDoS amplification attacks, which can have a serious impact on the health and stability of your web services and applications. VPC firewall rules should be configured so that access to specific resources is restricted to just those hosts or networks that have a legitimate business requirement for access.
Audit
To determine if your Google Cloud VPC firewall rules allow unrestricted Memcached access, perform the following operations:
Remediation / Resolution
To update your VPC network firewall rules configuration in order to restrict Memcached access to trusted entities only (i.e. authorized IP addresses or IP ranges), perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- VPC networks
- Create and manage VPC networks
- VPC firewall rules
- Use VPC firewall rules
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute networks list
- gcloud compute firewall-rules list
- gcloud compute firewall-rules update