⚡

Memcached Honeypot

Detect unauthorized access attempts targeting Memcached cache servers.

11211

Default Port

TCP

Protocol

Key Name

Detection

About Memcached

Memcached is a high-performance distributed memory caching system used to speed up web applications by caching database queries and API responses. Exposed Memcached instances can leak sensitive cached data including session tokens, user data, and API keys. They're also abused for amplification DDoS attacks.

What Gets Captured

When an attacker attempts to connect using your Memcached honeypot credentials, Tripwires captures:

Cache key - The key name requested (contains the detection token)
Source IP - The attacker's IP address
Timestamp - Exact time of the connection
Command - The Memcached command issued (GET, SET, etc.)

Connection Formats

Memcached honeypot endpoints can be planted in various formats depending on your tech stack:

Telnet/Netcat

echo "get session_token" | nc memcached-xxx.gettripwires.com 11211

memcached CLI

memccat --servers=memcached-xxx.gettripwires.com:11211 session_token

Python (pymemcache)

from pymemcache.client import base
client = base.Client(('memcached-xxx.gettripwires.com', 11211))
result = client.get('session_token')

PHP

$memcached = new Memcached();
$memcached->addServer('memcached-xxx.gettripwires.com', 11211);
$value = $memcached->get('session_token');

Strategic Placement Ideas

Application Cache Config

Leave as 'session cache server' in web application configuration files.

Docker Compose Files

Add as 'cache layer' service endpoint in docker-compose.yml.

Performance Tuning Docs

Include as 'distributed cache node' in scaling documentation.