Editing Memcached (section)

==Software architecture==
{{Unreferenced section|date=June 2013}}
The system uses a [[client–server]] architecture. The servers maintain a key–value [[associative array]]; the clients populate this array and query it by key. Keys are up to 250 bytes long and values can be at most 1 [[megabyte]] in size.

Clients use client-side libraries to contact the servers which, by default, expose their service at [[Computer port (software)|port]] 11211. Both TCP and UDP are supported. Each client knows all servers; the servers do not communicate with each other. If a client wishes to set or read the value corresponding to a certain key, the client's library first computes a [[hash function|hash]] of the key to determine which server to use. This gives a simple form of [[shard (database architecture)|shard]]ing and scalable [[shared-nothing architecture]] across the servers. The server computes a second hash of the key to determine where to store or read the corresponding value. The servers keep the values in RAM (and, starting in 1.6.0, in auxiliary cache on disk using an external storage server option);<ref name=":0">{{Cite news |last=McIntosh |first=Jason |date=14 February 2025 |title=The evolution of Memcached |url=https://lwn.net/Articles/1007303/ |url-status=live |access-date=14 February 2025 |work=LWN}}</ref> if a server runs out of available memory or disk, it discards the oldest values. Therefore, clients must treat Memcached as a transitory cache; they cannot assume that data stored in Memcached is still there when they need it. Other databases, such as [[MemcacheDB]], [[Couchbase Server]], provide persistent storage while maintaining Memcached protocol compatibility.

If all client libraries use the same hashing algorithm to determine servers, then clients can read each other's cached data.

A typical deployment has several servers and many clients. However, it is possible to use Memcached on a single computer, acting simultaneously as client and server. The size of its hash table is often very large. It is limited to available memory across all the servers in the cluster of servers in a data center. Where high-volume, wide-audience Web publishing requires it, this may stretch to many gigabytes. Memcached can be equally valuable for situations where either the number of requests for content is high, or the cost of generating a particular piece of content is high. Applications with particularly high-demand caching needs can use a built-in proxy to define and configure complex client-server routes.<ref name=":0" />

===Security===
Most deployments of Memcached are within trusted networks where clients may freely connect to any server. However, sometimes Memcached is deployed in untrusted networks or where administrators want to exercise control over the clients that are connecting. For this purpose Memcached can be compiled with optional [[Simple Authentication and Security Layer|SASL]] authentication support. The SASL support requires the binary protocol.

A presentation at [[Black Hat Briefings|BlackHat USA 2010]] revealed that a number of large public websites had left Memcached open to inspection, analysis, retrieval, and modification of data.<ref>{{Cite web |url=https://www.sensepost.com/blog/2010/blackhat-write-up-go-derper-and-mining-memcaches/ |title=SensePost &#124; Blackhat write-up: Go-derper and mining memcaches |access-date=2016-09-02 |archive-url=https://web.archive.org/web/20181221184133/https://sensepost.com/blog/2010/blackhat-write-up-go-derper-and-mining-memcaches/ |archive-date=2018-12-21 |url-status=dead }}</ref>

Even within a trusted organisation, the flat trust model of memcached may have security implications. For efficient simplicity, all Memcached operations are treated equally. Clients with a valid need for access to low-security entries within the cache gain access to ''all'' entries within the cache, even when these are higher-security and that client has no justifiable need for them. If the cache key can be either predicted, guessed or found by exhaustive searching, its cache entry may be retrieved.

Some attempt to isolate setting and reading data may be made in situations such as high volume web publishing. A farm of outward-facing content servers have ''read'' access to memcached containing published pages or page components, but no write access. Where new content is published (and is not yet in memcached), a request is instead sent to content generation servers that are not publicly accessible to create the content unit and add it to memcached. The content server then retries to retrieve it and serve it outwards.

====Used as a DDoS attack vector====
In February 2018, [[CloudFlare]] reported that misconfigured memcached servers were used to launch [[Denial-of-service attack|DDoS attacks]] in large scale.<ref>{{cite web|url=https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/|title=Memcrashed - Major amplification attacks from UDP port 11211|date=27 Feb 2018|publisher=CloudFlare|access-date=3 March 2018}}</ref> The memcached protocol over UDP has a huge [[Denial-of-service attack#Amplification|amplification factor]], of more than 51000.<ref>{{cite news|url=https://www.techspot.com/news/73522-github-hit-massive-ddos-attack.html|title=GitHub falls victim to largest DDoS attack ever recorded|date=Mar 1, 2018|author=Jeffrey, Cal}}</ref> Victims of the DDoS attacks include [[GitHub]], which was flooded with 1.35&nbsp;Tbit/s peak incoming traffic.<ref>{{cite web|url=https://githubengineering.com/ddos-incident-report/|title=February 28th DDoS Incident Report|date=March 1, 2018|access-date=3 March 2018}}</ref>

This issue was mitigated in Memcached version 1.5.6, which disabled UDP protocol by default.<ref>{{cite web| url=https://github.com/memcached/memcached/wiki/ReleaseNotes156 |title=Memcached 1.5.6 Release Notes|website=[[GitHub]] |date=2018-02-27|access-date=3 March 2018}}</ref>