Secure memcached server to avoid DDoS amplification attacks

I am worried that my Memcached server used for DDoS amplification attacks. How do I secure Memcached server on Linux or Unix-like system to avoid an attacker to exploit my Memcached services as an amplification vector, causing unexpected volumes of traffic to be sent to targeted networks?

Memcached is a free and open source distributed memory object caching system. One can use it for speeding up dynamic web applications by mitigating database load. The Memcached server is an in-memory key-value store. This page shows how to secure memcached running on a Linux or Unix-like systems.

How to install Memcached server

Use the apt-get command/apt command on a Debian/Ubuntu Linux:
$ sudo apt install memcached
If you are using a CentOS/RHEL, try yum command:
$ sudo yum install memcached
Fedora Linux user should use the dnf command:
$ sudo dnf install memcached

How to configure Memcached

You need to edit the following file as per your Linux distro:

  • Debian/Ubuntu/Mint Linux – /etc/memcached.conf
  • CentOS/RHEL/Fedora/Oracle Linux – /etc/sysconfig/memcached

For detailed info on memcached configuration see FAQs:

Memcached and DDoS attack

By default memcached server uses TCP/UDP port number 11211. A DDoS (Distributed Denial of Service) amplification attacks performed by exploiting Memcached servers exposed to the public Internet IPv4/IPv6 address. A significant increase in amplification attack vector – using the Memcached protocol, coming from UDP port 11211.

How to secure memcached server

The procedure to secure memecached server is as follows:

1. Configure a firewall

Debian/Ubuntu Linux example

You can use ufw on a Debian/Ubuntu Linux as follows to only allow traffic from 11211 port between to private IP address:
$ sudo ufw allow from to port 11211 proto tcp comment 'Allow memcached tcp port'
### [ uncomment the following if you are using tcp port ] ###
$ #sudo ufw allow from to port 11211 proto udp comment 'Allow memcached udp port'

CentOS/RHEL version 6.x/5.x

If you are using a CentOS/RHEL 6.x/5.x, edit the /etc/sysconfig/iptables:
$ sudo /etc/sysconfig/iptables
Add following INPUT line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -s -d -j ACCEPT
# uncomment the following if you are using udp
#-A INPUT -m state --state NEW -m udp -p udp --dport 11211 -s -d -j ACCEPT

Save and close the file. Restart the firewall, run:
$ sudo service iptables restart

RHEL/CentOS version 7.x and Fedora Linux

For CentOS/RHEL/Fedora Linux latest version use the following firewall-cmd rule:
# firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ipv4"
source address=""
port protocol="tcp" port="11211" accept'

Reload the firewall:
# firewall-cmd --reload

2. Disable UDP

To disable UDP and listen to loopback ip only add the following to memcached config file on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:
OPTIONS="-U 0 -l,"
Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:
-U 0


  • -U 0 : Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.
  • -l, : Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.

3. Force memcached to listen on private LAN/VLAN IP address

As discussed above set the -l option.

How do I test my memcached server security settings?

Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server using the nc command/telnet command/nmap command:
$ nc your-public-IP-here 11211
$ nc -u your-public-IP-here 11211
$ telnet your-public-IP-here 11211
$ sudo nmap your-public-IP-here -p 11211 -sU -sS --script memcached-info

Verify open ports with the ss command or netstat command:
$ ss -tulpn | grep :11211
$ netstat -tulpn | grep :11211

A sample firewall message indicating blocked attack

[72551.977597] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:60:1d:71:00:26:51:c4:00:41:08:00 SRC= LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=55298 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0 
[74893.874472] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:60:1d:71:00:1b:54:c2:50:c1:08:00 SRC= LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=54321 PROTO=TCP SPT=57239 DPT=11211 WINDOW=65535 RES=0x00 SYN URGP=0


  • Memcrashed – Major amplification attacks from UDP port 11211

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum