Running memcached? Better block UDP Port 11211!

Bogus hoodie wearing hacker dude The best stock photo of a hacker in a Matrix-like environment I could download this morning. All your memcached are belong to him.

The latest bad news from the world of threats, 'sploits and attacks is that there is a powerful new amplified DDoS attack that leverages memcached to achieve unprecedented amplification factors.

By default, memcached exposes UDP 11211. With the specs of the protocol being what they are, this is one of the best protocols to use for amplified attacks ever as a 15 byte request can trigger a 750k response to a user defined, spoofed IP address, resulting in a 51,200x amplification factor.

OK, what should I do?

In an ideal world, you would not have anything running memcached running exposed on the internet.

  1. Get your memcached servers behind a firewall.
  2. Block port 11211 if it is open.
  3. Disable UDP for memcached.

Want to learn more?

Some excellent write-ups are available:

Memcrashed - Major amplification attacks from UDP port 11211 – very readable piece from the pros at Cloudflare

Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customers – food for thought for operators on the merits of proactive port filtering to address the next attack before it happens