Reacting to an announcement from Corero that they discovered a Memcached DDoS attack kill switch, Mounir Hahad, head of threat research at Juniper Networks, commented:
“This kill switch is unfortunately just a band-aid. It will take an attacker only a few minutes to overcome by replanting the large file in the memcached servers again. It becomes a game of whack-a-mole: the attacker replants the file repeatedly and the good guys try to flush it out again and again. Try doing this on about 100,000 servers at the same time and you’ll realize it’s a cat and mouse chase.
I’ve given this advice over and over, but it bears repeating: There should be no business for these memchached servers to accept connections from the internet. People should be using firewall or routing rules to drop traffic from the internet to these servers, period.
It is very easy to mitigate this kind of amplification: just rate limit the particular port used by this service, 11211, which can be done by any decent firewall. Better yet, reconfigure your network to have memcached only allow connections from the desired servers.”