In my opinion, the number one reason why the DDOS attack on github.com was possible, is because of a documentation bug. The Memcached documentation discourages restricting Memcached to listening to authorized machines only:
-l allows you to bind to specific interfaces or IP addresses. Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users."
Not exposing memcached directly to the internet is not always feasible or even realistic in a cloud situation, while not doing anything at all, is clearly not a solution either. The documentation does not even mention one example for the - l option. We need to hunt down examples elsewhere:
Memcached listen on selected interfaces
The
-loption can take [...] a comma separated list of IP addresses. An IP address may have an optional port specification. So, for instance:
memcached -l 127.0.0.1:11211,127.0.0.1:11212,10.1.2.3 -u 0
Memcached should be made to only listen to the IP addresses of downstream machines for which it caches data. All other machines should be prevented from talking to it.
A second reason for the DDOS problem is that the compromised systems may have been migrated from a private data center to a cloud situation without reviewing the important -l and -u configurations.