The SANS ISC and US-CERT are sharing awareness on UDP-based DDoS attacks (port 11211) circulating in the wild as follows:

https://isc.sans.edu/forums/diary/How+did+this+Memcache+thing+happen/23391/

https://isc.sans.edu/forums/diary/Why+we+Dont+Deserve+the+Internet+Memcached+Reflected+DDoS+Attacks/23389/

https://www.us-cert.gov/ncas/alerts/TA14-017A

This memcached reflected DDoS thing is pretty bad.  How bad?  Well, US-CERT updated its UDP-Based Amplification Attacks advistory to add Memcache to the list of potential attack vectors.  The really telling bit is the chart that shows the Bandwidth Amplification Factor.  Before memcache was added the largest factor was 556.9 from NTP where each byte sent in to a vulnerable server would return about 557 bytes in attack traffic.  Memecache is listed as 10,000 to 51,000.  That’s remarkably large.

So you got yourself a classic reflective amplified DDoS attack. Luckily, it isn’t too hard to block. You should see traffic *from* port 11211 if you are hit by this attack. Blocking all traffic from port 11211 should be possible as all modern operating systems tend to use a source port higher than that for client connections.

RECOMMENDATIONFor vulnerable systems, change the memcached configuration setting for CACHESIZE

1.Open /etc/memcached.conf in a text editor.
2.Locate the -m parameter.
3.Change its value to at least 1GB.
4.Locate the -l parameter.
5.Change its value to 127.0.0.1 or localhost.
6.Save your changes to memcached.conf and exit the text editor.
7.Restart memcached.