Perhaps a server, when running in development mode, should require a custom HTTP header? This would be a non-simple request, and the browser will refuse.
Would this be a reasonable counter-measure?
The services discussed - memcached, redis, etc - don't use HTTP. The attack is successful because the protocols follow the robustness principle of 'be liberal in what you accept', and simply ignore the HTTP cruft, but still process the command.
A secret value, whether it's called a 'password', a 'key', a 'token', or comes in an 'Authorization' header or 'X-CustomHeader' is always a good countermeasure.
For example:
POST / HTTP/1.1 << Ignored
Host: localhost:6379 << Ignored
SET abc 123 << Processed
QUIT << Processed