Memcached Reflection DDoS Attacks Set New Traffic Records

Recently, the number of distributed denial‑of‑service (DDoS) attacks that exploit Memcached servers for reflection amplification has risen sharply, with traffic volumes exceeding the terabit‑per‑second (Tbps) level for the first time, prompting strong reactions from the industry.

On February 27, Cloudflare and Arbor Networks issued warnings that malicious actors were abusing the Memcached protocol to launch large‑scale reflection DDoS attacks, affecting many servers worldwide.

Within a day, GitHub reported a peak attack of 1.35 Tbps, setting a new DDoS record, followed by another peak of 400 Gbps. This surpassed the previous record of 1.1 Tbps.

The China National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) reported that on March 1 the Memcached reflection attack peaked at 1.94 Tbps.

Tencent Cloud captured multiple Memcached reflection DDoS incidents up to March 6, targeting services such as online games and portal websites. The attacks showed a clear activity window from February 21, peaking on March 1, decreasing, and then rising again on March 5.

Reflection attacks work by spoofing the victim’s IP address and sending requests to open services (such as Memcached). The service replies with a payload many times larger than the request, directing the amplified traffic toward the victim. Memcached’s amplification factor can reach tens of thousands (≈ 5 × 10⁴), far higher than typical UDP‑based reflection attacks (30–50×), making it especially attractive to attackers.

Because of this massive amplification, attackers can generate huge traffic volumes with relatively little bandwidth.

Tencent Cloud’s Zeus Shield security system successfully mitigated the Memcached reflection attacks, keeping Tencent Cloud services unaffected. The company also assisted customers with self‑checks, monitoring, and remediation to prevent their servers from being used as reflectors.

Security recommendations include:

Strengthen monitoring and risk awareness for UDP reflection attacks, which account for over half of DDoS incidents.

Deploy high‑protection IP services (e.g., Tencent Cloud Zeus Shield) to hide origin servers and absorb large traffic spikes.

For industries prone to large‑scale attacks (portals, finance, gaming, government), increase defensive capacity and conduct regular attack simulations.