Akarguard logoAkarguard
All articlesAttack Analysis

How a 1.4Tbps Memcached Amplification Attack Works — and How to Stop It

C

Ceren Yildiz

Security Researcher

Mar 18, 20258 min read

Memcached-based reflection attacks can amplify traffic by a factor of 51,000x. We break down exactly how attackers exploit these servers and the mitigation techniques Akarguard applies in real time.

In February 2018, GitHub was hit with 1.35Tbps of traffic — at the time, the largest DDoS attack ever recorded. The weapon: Memcached, an open-source caching system that tens of thousands of operators had accidentally exposed to the public internet.

What Is a Memcached Amplification Attack?

Memcached is designed to run inside trusted networks, not on the public internet. It listens on UDP port 11211 and responds to any query without authentication. Attackers exploit this by sending small requests with a spoofed source IP — the victim's address — to publicly exposed Memcached servers. Each server then floods the victim with a response that can be up to 51,000 times larger than the original request.

Amplification factor

A 15-byte request can trigger a 750KB response — a 51,000x amplification ratio. With thousands of vulnerable servers, attackers can generate terabit-scale floods from a laptop.

Anatomy of the Attack

  • Attacker pre-loads a Memcached server with a large value (e.g., 1MB payload).
  • Attacker sends a UDP GET request to the server with the victim's IP as the source.
  • The Memcached server sends the full payload to the victim — no questions asked.
  • With 10,000 servers, the attacker can sustain 500Gbps+ from a single machine.

How Akarguard Mitigates It

Our scrubbing centers perform deep packet inspection at line rate. Memcached reflection traffic has a distinctive signature: UDP source port 11211, specific response headers, and payload patterns that match our detection rules. Traffic matching this profile is dropped at the network edge — before it reaches your infrastructure.

  • All inbound traffic is routed through Akarguard's reverse-proxy scrubbing layer via DNS.
  • Memcached reflection signatures (UDP/11211) are detected and dropped at the proxy edge within 200ms.
  • Traffic matching known amplification patterns is rate-limited or null-routed before it reaches your origin server.
  • Our SOC team monitors every active mitigation event 24/7.

What You Can Do Right Now

If you run Memcached, disable UDP support immediately (--listen 127.0.0.1 or firewall port 11211/udp). Shodan currently indexes over 85,000 publicly exposed Memcached instances — each one is a potential weapon against any target on the internet.

Disabling UDP on Memcached costs you nothing. Leaving it enabled costs everyone.
C

Ceren Yildiz

Security Researcher at Akarguard

More from the blog

Best Practices

DDoS Protection Checklist: 12 Steps Every Engineering Team Should Take

David Patel6 min read
Industry Report

2025 DDoS Threat Landscape: Volumetric Attacks Up 340% Year-Over-Year

Lena Hoffman12 min read
Technical Deep Dive

How Reverse Proxy DDoS Protection Works — and Why a DNS Change Is All You Need

Tarık Arslan7 min read

Ready to protect your infrastructure?

Start free — no credit card required. DDoS protection active in minutes.

Get Protected Free