CERT MW has been informed of an active attack that is using memcached servers to perform a reflected Denial of Service (DoS) attack.
This allows attackers to send queries to the memcached servers on port UDP/11211 or TCP/11211 and spoof the source IP and port (the target). The response would be amplified and reflected back to the target as a DoS attack.
CERT MW is aware that this attack is active. Because of this, we strongly recommend you investigate your servers as soon as possible to prevent them from being used in an attack.

Systems affected

Memcached servers that have UDP/11211 or TCP/11211 open and are internet-accessible.
This attack requires the memcached server to be misconfigured. It is prudent to work on the basis that all memcached servers are affected until they are investigated.
Memcached servers that are 1.2.7 or later and using default configurations should be assessed immediately.

What this means

All affected servers need to be updated with recommended mitigations to prevent the server from being used in this reflection attack.

How to tell if you’re at risk

If you are using a memcached server that is misconfigured you are at risk of being used to carry out a reflection attack.
These are largely used in internet data centre or infrastructure-as-a-service networks.

Mitigation

Ensure that memcached servers are configured to use industry-standard best current practices (BCP). This includes:

  • using source-address validation to filter ingress traffic (BCP38/BCP84)
  • using access control lists (ACL) to restrict source IP addresses/ports and limit traffic

Details about these mitigations can be found at: