Skip to content
PortsDB

Port reference

Port 11211 (TCP/UDP) – Memcached

Default port for the Memcached distributed memory caching system.

tcpudpRegisteredCommonly attacked

Default state

Older Memcached versions listened on all interfaces over both TCP and UDP with no authentication. Modern packages disable UDP and bind to localhost by default, but exposed instances persist.

Common attacks

  • UDP reflection/amplification DDoS (record ~50,000x amplification in 2018)
  • Unauthenticated access to read or flush cached data
  • Cache poisoning of application data
  • Information disclosure of session tokens and secrets held in cache

CVE-2018-1000115

Hardening

  • Disable UDP (start with -U 0) unless explicitly required
  • Bind to localhost or a private interface (-l 127.0.0.1)
  • Never expose 11211 to the internet; firewall to trusted app hosts
  • Enable SASL authentication and require TLS where supported
  • Keep Memcached patched and rate-limit at the network edge

nmap snippet

nmap -p11211 --script memcached-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 11211?

Port 11211 is the default for Memcached, a high-performance distributed memory object caching system used to speed up dynamic web applications by caching query results, session data, and computed objects. Applications talk to it over TCP, and older configurations also enabled a UDP interface on the same port.

Why it matters for security

Memcached has no authentication by default and historically listened on all interfaces over UDP. That combination made it the engine behind some of the largest DDoS attacks ever recorded: in 2018, attackers abused open UDP 11211 for reflection/amplification reaching roughly 50,000x (CVE-2018-1000115). An exposed instance also leaks whatever is cached — often session tokens and sensitive application data.

How it's attacked

The headline attack is UDP reflection/amplification: an attacker sends small spoofed requests with the victim's source address, and Memcached floods the victim with huge responses. Over TCP, an exposed instance allows unauthenticated reads, flushes, and cache poisoning, exposing or corrupting the data applications rely on.

Hardening checklist

Disable UDP by starting Memcached with -U 0 unless you truly need it. Bind to localhost or a private interface with -l 127.0.0.1, and never expose 11211 to the internet — firewall it to trusted app hosts. Enable SASL authentication, require TLS where supported, keep Memcached patched, and rate-limit at the network edge. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 6379Port 27017Port 9200Port 3306

Frequently asked questions

Why is Memcached used for DDoS amplification?
Its UDP interface returns large responses to tiny spoofed requests, reaching ~50,000x amplification (CVE-2018-1000115). Disable UDP with -U 0 and never expose 11211 to the internet.
Does Memcached have authentication?
Plain Memcached has none by default, though SASL is available. Treat it as unauthenticated, bind it to localhost or a private network, and firewall the port.