[r1ch]

This is a great example of why it's important to pick secure defaults when writing software, especially software that is often deployed on high bandwidth servers or cloud instances. If no listening interfaces are specified then the default should be to exit with an error, not listen on everything!

I also wonder if you can store something in a memcached cache that looks like a valid request, then reflect that with the source IP of another memcached server and let them burn each other out...

[arkadiyt]

Shortly after Cloudflare's blog post, memcached pushed a commit that disabled UDP by default:

https://github.com/memcached/memcached/commit/dbb7a8af90054b...

[eridius]

That's good, but they should go a step further and stop listening on all addresses by default.

[jtl999]

And it's going to take a while for the new version to propagate to a released version, then to distributions, then to customer images and scripts, etc.

[chrisper]

This is why I dislike that Ubuntu starts services by default after installing them.