New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Roland Dobbins rdobbins at
Tue Feb 27 23:10:27 UTC 2018

On 28 Feb 2018, at 5:26, Ca By wrote:

> Just udp.

This Arbor Threat Summary discusses the TCP issue, as well, FWIW:


'It should also be noted that memcached priming queries can also be 
directed towards TCP/11211 on abusable memcached servers. TCP is not 
currently considered a high-risk memcached reflection/amplification 
transport as TCP queries cannot be reliably spoofed.'

We also recommend implementing situationally-appropriate network access 
policies at the IDC edge which disallow unwanted UDP/11211 as well as 
TCP/11211 from reaching abusable memcached deployments.

Roland Dobbins <rdobbins at>

More information about the NANOG mailing list