Deep Dive into Memcached Reflection Amplification Attacks
Memcached Protocol Overview
Memcached is a high-performance distributed memory caching system widely used to accelerate dynamic web applications. It uses a simple text-based protocol supporting both TCP and UDP transport methods. It is precisely the openness of its UDP interface that provides an opportunity for reflection amplification attacks.
Core Protocol Characteristics
No Authentication Mechanism
By default, no client authentication is required. Any host that can access the Memcached port can send requests.
UDP Support
For low latency, Memcached can listen on UDP port 11211. UDP's connectionless nature makes it easy to exploit through source address spoofing.
High Amplification Factor
A single small request (approximately 15 bytes) can trigger up to 1 MB of data return, with a theoretical amplification factor of up to 51,000x.
stats command can return detailed cache statistics. Attackers can achieve an amplification factor of approximately 130x using this command without needing to pre-inject data.Reflection Amplification Attack Mechanism
Attack Mechanism
The core of reflection amplification attacks (DrDoS) lies in using third-party servers as "reflectors" to amplify small attack requests into large volumes of attack traffic that ultimately converge on the target victim. Memcached attacks have an extremely high amplification factor, with a theoretical maximum of 51,000x.
Spoof Source Address
The attacker constructs Memcached request packets, forging the source IP as the victim's address. Since UDP is connectionless, the server cannot verify the authenticity of the source address.
Send Requests
Send requests to Memcached servers exposed on the internet. Attackers typically scan large numbers of servers to find targets exposed on the public network.
Amplification and Reflection
Memcached servers send large volumes of response data to the "source address" (i.e., the victim). The response data volume far exceeds the request data volume, achieving traffic amplification.
Traffic Convergence
Responses from thousands of Memcached servers converge into a massive attack flood, and the victim's network bandwidth is instantly exhausted.
Amplification Factor Analysis
| Request Command | Request Size | Response Size | Amplification Factor | Danger Level |
|---|---|---|---|---|
stats | ~15 bytes | ~2 KB | ~130x | Medium |
stats slabs | ~20 bytes | ~10 KB | ~500x | High |
stats items | ~20 bytes | ~50 KB | ~2,500x | Extremely High |
| Custom key read | ~15 bytes | Up to 1 MB | ~51,000x | Extremely High |
get commands to read this data, attackers can achieve extremely high amplification factors. This two-phase attack pattern of "pre-injection + reflection" enables attack traffic to easily reach Tbps levels.Real Case Studies
GitHub Incident (2018)
In February 2018, the well-known code hosting platform GitHub experienced one of the largest DDoS attacks in history at that time, with a peak traffic of 1.35 Tbps. The attackers precisely utilized Memcached reflection amplification technology, launching the attack through approximately 1,700 Memcached servers exposed on the internet.
2024-2025 Trends
Although Memcached attacks have been widely recognized by the industry, our monitoring data shows:
| Metric | Data | Trend |
|---|---|---|
| Share of all reflection attacks | 18% | Declining |
| Average attack peak | 750 Gbps | +45% |
| Average attack duration | 12 minutes | Shortening |
| Publicly exposed servers | ~23,000 | Slowly decreasing |
Attacks exhibit a "short and intense" characteristic -- duration is shortening but peak traffic is increasing, placing higher demands on the rapid response capability of protection systems.
Protection Strategies
Protection for Memcached Servers
Enable only TCP in the Memcached configuration and close UDP port 11211. This is the most direct and effective protection measure, fundamentally eliminating the risk of reflection amplification attacks.
Bind Memcached to 127.0.0.1 or internal network IPs to avoid public exposure. Ensure only trusted application servers can access Memcached.
Use SASL authentication mechanisms to restrict access permissions. Even if Memcached is accidentally exposed on the public network, attackers cannot exploit it to launch attacks.
Configure iptables or cloud security groups to allow only trusted IPs to access port 11211. It is recommended to deny all inbound connections by default and open only as needed.
::
Protection for Potential Victims
- Traffic scrubbing: Deploy professional DDoS protection equipment to identify and filter Memcached reflection traffic
- Anycast network: Use Anycast technology to distribute attack traffic across multiple nodes
- Protocol analysis: Identify abnormal Memcached response traffic based on deep packet inspection (DPI)
- Blackhole routing: In extreme cases, route attack traffic to a blackhole
Hiddos Protection Capabilities
Hiddos's intelligent traffic scrubbing platform provides multi-layer protection mechanisms against reflection amplification attacks. Through real-time protocol fingerprint identification technology, the system can identify Memcached reflection traffic characteristics within sub-seconds, automatically triggering scrubbing strategies. Additionally, Hiddos's global Anycast protection network can distribute attack traffic to the nearest scrubbing nodes, ensuring normal business operations are unaffected.
Conclusion
Although Memcached reflection amplification attacks have been known for years, their extremely high amplification factor and the large number of still-exposed servers make them an important threat in the DDoS attack landscape. Enterprises should build comprehensive defense systems from both the source (hardening Memcached services) and the endpoint (deploying professional protection) to effectively counter such attacks.
CDN and DDoS Protection Synergy: Building Highly Available Network Architecture
Exploring how CDN acceleration and DDoS protection work together, sharing how to achieve both fast and secure network infrastructure through proper architectural design.
The IoT Botnet Threat Landscape in 2025
An in-depth examination of the evolving IoT botnet ecosystem in 2025, covering Mirai variant evolution, emerging infection techniques, and comprehensive protection strategies for connected devices.