Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

DDoS Attacks on the Memcached Servers

Posted DateMarch 14, 2018
Posted Time 3   min Read

We’re living in an age where we’re always going to witness new attacks, with minimal/high complexity with the severity of the attacks ranging from high to critical. Technology is always growing, advancing and there’s always going to be more attacks to look forward to in the future. Two of the largest DDoS attacks that were ever recorded in the history of the internet were launched only recently. Yes, 2018 is going well. Attackers recently took advantage of the server configuration settings that weren’t set in place in the security point of view to thwart such attacks. Hence the affected servers received floods of malicious traffic and weren’t armed to stabilize the situation at hand.

The attack that we’re discussing targeted the Memcached Systems. Memcache is a popular open-source distributed memory caching system. Attackers exploited it by launching an amplification DDOS attack by sending forged requests to the targeted Memcached server on port 11211 using a spoofed IP address that matched their target’s IP address. This is what went down during this attack: So, a few bytes from the spoofed IP address, when received by the victim Memcached server, triggered a response which would equate to the response magnified to a thousand times bigger response. This response was sent to the Memcached server which eventually leads to the massive DDoS attack.

Basically, Memcached servers cache some of the massive data that applications require from an external database. This cached data is then easily accessible for applications to use as and when they require it. Companies use these servers to speed up their page load time. Also, these servers have been used for this very purpose for quite a long time now. Normally, the Memcached servers are used internally within an organization. That is, they’re not exposed to the public network (internet) and are only made accessible to a trusted internal network. But apparently, there are plenty of Memcached servers accessible online as well. Shodan, a search engine that lets the users find specific types of computers (webcams, routers, servers, etc.) can be used to find Memcached servers as well.

What’s interesting is that these servers had the UDP port11211 open by default (according to Cloudflare’s Marek Majkowski). Since these servers have been used by companies for a very long time, back in the day, UDP was faster and simpler than the TCP protocol. That has changed now. However, the default settings on the server configurations remained. Which lead to the discovery of many Memcached servers with port 11211 left open by default.

In the aftermath of this attack, the leads behind the open-source Memcached project released a new stable version. In that version, the default settings don’t leave the mentioned UDP port open anymore. This can be configured manually as well.

To prevent Memcached servers from being exploited with the previously mentioned method, we advise users to install a WAF that would provide access to Memcached servers ONLY from the local network.

Administrators should also consider avoiding external traffic to the ports used by the attackers to exploit the Memcached servers (for example 11211 port used by default), and to block or rate-limiting UDP or completely disable UDP support if not in use.

Need help protecting your business from all kinds of application-layer DDoS attacks?

Start Here

You can start with the AppTrana Free Forever Website Security Scan to find out how it works.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Recent Notorious Hacks History
27 Most Notorious Hacks in History that Fall Under OWASP Top 10

What were the most notorious hacks in history? They’re subject to debate, but we bring you 27 of them, which would be strong candidates for the title.

Spread the love

Read More
Application Layer/Layer 7 DDoS Attacks
3 Effective Techniques to Mitigate Application Layer DDoS Attacks

Application Layer DDoS attacks are very hard to detect because they attack application-specific resources. Learn how to mitigate this attack.

Spread the love

Read More
DDoS Extortion Attacks
What is a DDoS Extortion Attack and How do you Respond to it?

Cybercriminals are leveraging DDoS extortion attacks to extort money from organizations. Learn how to respond to these attacks.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!