Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It's commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It's the program that enables them to handle their massive data I/O. It's also used by many to cache their web-server-session data to speed up their sites -- and that's where the trouble starts.
When a server receives a memcached get request, it collects the requested values from memory to form a response. It then sends over the internet in an uninterrupted stream of multiple UDP packets, each with a length of up to 1,400 bytes.
Attacker can load large values into the data store and then use them in attacks. So, even with just a single megabyte stored value, the attacker uses a spoofed UDP packet request to ask for that 1MB of data to be sent hundreds of times per request over memcached's default 11211 UDP port.
More info about attack: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
So what can you do?
If you're running memcached, according to SANS you should harden your memcached server by taking the following steps:
Open /etc/memcached.conf in a text editor
Locate the -m parameter
Change its value to at least 1GB
Locate the -l parameter
Change its value to 127.0.0.1 or localhost
Save your changes to memcached.conf and exit the text editor
If you're running memcached, you should also disable UDP support if you are not using it. As a potential victim, you should also close off port 11211.