Home / Memcached / Memcached UDP Amplification Attack Mitigation and Defense

Memcached

Memcached UDP Amplification Attack Mitigation and Defense

How to protect Memcached servers from being used in UDP amplification DDoS attacks.

Today3 min read

Abstract illustration for a troubleshooting knowledge base category.

Introduction Memcached servers listening on UDP port 11211 can be exploited as DDoS amplification reflectors. Attackers send small spoofed UDP requests to Memcached servers, which respond with large data payloads to the spoofed victim IP. A single 15-byte request can generate a response of up to 512KB, creating a 34,000x amplification factor.

Symptoms - Memcached server sending large volumes of unsolicited UDP traffic - Network monitoring shows unusual outbound UDP traffic from Memcached port - ISP or hosting provider reporting abuse for DDoS amplification - `STAT udp_requests` showing unexpected high values - Memcached consuming disproportionate network bandwidth

Common Causes - UDP port 11211 exposed to the public internet - Memcached started without `-U 0` to disable UDP - Firewall rules not blocking external access to Memcached ports - Cloud security groups allowing inbound UDP on 11211 - Default Memcached configuration enabling UDP by default

Step-by-Step Fix 1. **Immediately disable UDP on Memcached": ```bash # Stop the current Memcached instance sudo systemctl stop memcached

# Restart with UDP disabled memcached -m 4096 -U 0 -p 11211 -l 127.0.0.1 -d

# -U 0: Disable UDP (set to 0) # -l 127.0.0.1: Bind to localhost only ```

1.**Block external access with firewall rules":
2.```bash
3.# iptables
4.sudo iptables -A INPUT -p udp --dport 11211 -j DROP
5.sudo iptables -A INPUT -p tcp --dport 11211 ! -s 10.0.0.0/8 -j DROP

# UFW (Ubuntu) sudo ufw deny 11211/udp sudo ufw allow from 10.0.0.0/8 to any port 11211

# Verify UDP is blocked nc -zu localhost 11211 ```

1.**Configure systemd service to disable UDP":
2.```ini
3.# /etc/memcached.conf or systemd override
4.# Disable UDP
5.-U 0
6.# Listen only on internal interface
7.-l 127.0.0.1
8.# Or specific internal IP
9.-l 10.0.1.50
10.`
11.**Scan for exposed Memcached instances":
12.```bash
13.# Scan your network for exposed Memcached servers
14.nmap -sU -p 11211 10.0.0.0/24

# Check from outside your network # (Use a tool like shodan.io to search for exposed Memcached) ```

1.**Verify UDP is disabled":
2.```bash
3.# This should fail (connection refused)
4.echo "stats" | nc -u localhost 11211

# TCP should still work for authorized clients echo "stats" | nc localhost 11211 | head -5 ```

Prevention - Always start Memcached with `-U 0` to disable UDP - Bind Memcached to internal-only interfaces (`-l 10.x.x.x`) - Configure firewall rules to block all external access to port 11211 - Use cloud security groups to restrict Memcached access to application subnets - Regularly scan for exposed Memcached instances - Monitor outbound UDP traffic from Memcached servers - Consider using SASL authentication for additional security - Document the security hardening checklist for all Memcached deployments