Critical Vulnerability

Memcached Amplification Checker

Memcached UDP reflection is the most powerful DDoS amplification vector ever discovered. A single exposed server can amplify attack traffic by up to 51,000x.

51,000x

Maximum Amplification Factor

The highest amplification ratio of any known DDoS vector.
A 15-byte request can generate a 750 KB response.

Amplification Factor Comparison

Memcached

51,000x

NTP

556x

DNS

54x

SSDP

30x

Server IP Address

How the Attack Works

Memcached UDP Reflection Attack

Memcached is a high-performance caching system used by sites like Facebook, Twitter, and YouTube. By default, older versions listen on UDP port 11211 on all interfaces - including public IPs.

Attackers send a tiny stats or get request (as small as 15 bytes) with a spoofed source IP. The Memcached server responds with up to 750 KB of cached data, directed at the victim. That's an amplification factor of 51,000x.

Unlike DNS or NTP amplification, Memcached requires no special queries or vulnerabilities - it's working exactly as designed. The problem is that it was never meant to be exposed to the internet.

The GitHub Attack (Feb 28, 2018)

1.7 Tbps

The largest DDoS attack ever recorded at the time hit GitHub using Memcached amplification. It peaked at 1.7 Tbps and 126.9 million packets per second. The attack was mitigated within 10 minutes by Akamai Prolexic, but it demonstrated the devastating potential of this vector.

Memcached Reflection Flow

Attacker

UDP request with spoofed source IP (15 bytes)

Memcached Server
:11211 UDP exposed

Cached data response (~750,000 bytes)

Victim Server

Scale comparison:

Request (15 B)

Response (~750 KB)

Test Your Server

Commands to Check Memcached Exposure

# Check if Memcached is listening on UDP

ss -lunp | grep 11211

# If you see UDP :11211, it's exposed

# Test UDP response from remote

echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u -q1 YOUR_SERVER_IP 11211

# Check with nmap

nmap -sU -p 11211 --script memcached-info YOUR_SERVER_IP

# Test TCP connection (less dangerous but still exposed)

echo "stats" | nc YOUR_SERVER_IP 11211

# Check what interfaces Memcached is bound to

ps aux | grep memcached

# Look for -l flag. If absent or set to 0.0.0.0, it's on all interfaces

Fix It Now

Remediation Steps (Do This Immediately)

Disable UDP on Memcached (most critical)

Memcached has supported a -U 0 flag since version 1.5.6 to disable UDP. As of 1.5.6+, UDP is disabled by default. If you're on an older version, add it explicitly.

# In /etc/memcached.conf or startup flags:

-U 0

# Or via systemd override:

ExecStart=/usr/bin/memcached -U 0 -l 127.0.0.1 -p 11211 -m 64

Bind to localhost only

Unless you need Memcached accessible from other servers, bind it to 127.0.0.1. This prevents any external access.

# In /etc/memcached.conf

-l 127.0.0.1

# For specific internal IPs:

-l 127.0.0.1,10.0.0.5

Firewall port 11211

Block all external access to port 11211 as a safety net, even if you've already bound to localhost.

iptables -A INPUT -p udp --dport 11211 -j DROP

iptables -A INPUT -p tcp --dport 11211 -s 127.0.0.1 -j ACCEPT

iptables -A INPUT -p tcp --dport 11211 -s YOUR_APP_NETWORK/24 -j ACCEPT

iptables -A INPUT -p tcp --dport 11211 -j DROP

Upgrade Memcached

Update to Memcached 1.5.6+ where UDP is disabled by default. On Ubuntu/Debian: apt update && apt upgrade memcached. On RHEL/CentOS: yum update memcached.

Enable SASL authentication

If Memcached must be network-accessible, enable SASL authentication to require credentials. Add -S to startup flags and configure SASL credentials.

Export your results