Securing Memcached (Preventing UDP Amplification)

Memcached is a high-performance caching system. However, by default, it listens on all interfaces and has UDP enabled. This makes open Memcached servers a prime target for Amplification DDoS Attacks.

Step 1: Firewall (Quick Fix)

The fastest way to stop an attack is to block external access to port 11211.

UFW (Ubuntu/Debian)

# Deny incoming UDP traffic on the default port
sudo ufw deny 11211/udp

# Only allow TCP from trusted IPs (if needed), otherwise deny all external
sudo ufw allow from <TRUSTED_IP> to any port 11211 proto tcp

FirewallD (CentOS/RHEL)

sudo firewall-cmd --zone=public --remove-port=11211/udp --permanent
sudo firewall-cmd --reload

Step 2: Configuration Hardening

Firewalls are great, but configuring the service itself is better. We need to disable UDP and bind the service to a specific interface.

On Ubuntu / Debian

1. Open the configuration file:

sudo nano /etc/memcached.conf

2. Ensure the following settings are present:

# Disable UDP (Critical!)
-U 0

# Bind to Localhost (if only used locally)
-l 127.0.0.1

If you need to access Memcached from another server in a private network, change 127.0.0.1 to your server's Private IP address.

3. Restart the service:

sudo systemctl restart memcached

On CentOS / RHEL / AlmaLinux

1. Open the sysconfig file:

sudo vi /etc/sysconfig/memcached

2. Modify the OPTIONS line to include -U 0 (disable UDP) and -l (listen address):

# Example: Bind to localhost and disable UDP
OPTIONS="-l 127.0.0.1 -U 0"

3. Restart the service:

sudo systemctl restart memcached

Step 3: Verification

Verify that Memcached is no longer listening on UDP and is bound to the correct IP.

sudo netstat -plunt | grep memcached

Correct Output Example:

tcp   0   0 127.0.0.1:11211   0.0.0.0:* LISTEN   2383/memcached

(Note: You should see tcp and your specific IP. You should not see udp or 0.0.0.0 / ::).