Dear all, As you've probably read by now, there we're facing a significant threat in the shape of the memcached UDP protocol. The current best practise is to apply rate-limits on all external facing ports and police UDP/11211 traffic down to something managable. This protects both your own infrastructure and your customers. Here are numerous pointers: http://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/ I recommend adding memcached UDP/11211 to the same "exploitable ports" list as NTP, CHARGEN and SSDP. Below is a configuration example for IOS XR to rate-limit these amplification-sensitive UDP ports to 1% of of the port's capacity. ipv4 access-list exploitable-ports permit udp any eq ntp any permit udp any eq 1900 any permit udp any eq 19 any permit udp any eq 11211 any ! ipv6 access-list exploitable-ports-v6 permit udp any eq ntp any permit udp any eq 1900 any permit udp any eq 19 any permit udp any eq 11211 any ! class-map match-any exploitable-ports match access-group ipv4 exploitable-ports match access-group ipv6 exploitable-ports-v6 end-class-map ! policy-map ntt-external-in class exploitable-ports police rate percent 1 conform-action transmit exceed-action drop ! set precedence 0 set mpls experimental topmost 0 ! class class-default set mpls experimental imposition 0 set precedence 0 ! end-policy-map ! interface Bundle-Ether19 description Customer: the best customer service-policy input ntt-external-in ipv4 address xxx/x ipv6 address yyy/y ... ! interface Bundle-Ether20 service-policy input ntt-external-in ... ... etc ... Please share your own examples too! Kind regards, Job