Running memcached? Better block UDP Port 11211!
2020-06-01 | 2 min read
The latest bad news from the world of threats, 'sploits and attacks is that there is a powerful new amplified DDoS attack that leverages memcached to achieve unprecedented amplification factors.
By default, memcached exposes UDP 11211. With the specs of the protocol being what they are, this is one of the best protocols to use for amplified attacks ever as a 15 byte request can trigger a 750k response to a user defined, spoofed IP address, resulting in a 51,200x amplification factor.
OK, what should I do?
In an ideal world, you would not have anything running memcached running exposed on the internet.
- Get your memcached servers behind a firewall.
- Block port 11211 if it is open.
- Disable UDP for memcached.
Want to learn more?
Some excellent write-ups are available:
Memcrashed - Major amplification attacks from UDP port 11211 – very readable piece from the pros at Cloudflare
Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customers – food for thought for operators on the merits of proactive port filtering to address the next attack before it happens