In this type of attack, the host looks for applications associated with these datagrams. When none are found, the host issues a “Destination Unreachable” packet back to the sender. The cumulative effect of being bombarded by such a flood is that the system becomes inundated and therefore unresponsive to legitimate traffic.
In a UDP flood DDoS attack, the attacker may also choose to spoof the IP address of the packets. This ensures that the return ICMP packets are not able to reach their host, while also keeping the attack completely anonymous.
What Are the Signs of a UDP Flood Attack?
Each time a new UDP packet is received by the server, resources are used to process the request. The first step in this process involves the server determining if any programs are running at the specified port. If no programs at that port are receiving packets, then the server issues an ICMP packet to notify the sender that the destination could not be reached.
When UPD flood DDoS attacks emanate from more than one machine, the attack is considered a Distributed Denial of Service (DDoS) threat. When multiple machines are used to launch UDP floods, the total traffic volume will often exceed the capacity of the link(s) connecting the target to the Internet, resulting in a bottleneck.
UDP is a networking protocol that is both connectionless and session-less. Unlike TCP, UDP traffic does not require a three-way handshake. As such, it requires less overhead and is perfectly suited for traffic such as chat or VoIP that doesn’t need to be checked and rechecked.
The same properties that make UDP ideal for certain kinds of traffic also make it more susceptible to exploitation. Without an initial handshake to ensure a legitimate connection, UDP channels can be used to send a large volume of traffic to any host. There are no internal protections that can limit the rate of a UDP flood.
As a result, UDP flood DOS attacks are exceptionally dangerous because they can be executed with a limited amount of resources. NETSCOUT's comprehensive DDoS protection solutions can help defend against UDP flood attacks.
How to Stop a UDP Flood Attack?
sStopping a UDP flood DDoS attack can be challenging. Most operating systems attempt to limit the response rate of ICMP packets with the goal of stopping DDoS attacks. The downside to this form of mitigation is that it also filters out legitimate packets. In the case of a truly high volume flood, even if the server’s firewall is able to mitigate the attack, congestions or slowdowns will in-all-likelihood occur upstream, causing disruption anyway.
Anycast technology, using deep packet inspection, can be used to balance the attack load across a network of scrubbing servers. Scrubbing software that is designed to look at IP reputation, abnormal attributes and suspicious behavior, can uncover and filter out malicious DDoS packets, thus permitting only clean traffic to make it through to the server.
Preventing a UDP flood attack can be difficult. Most operating systems attempt to limit the response rate of ICMP packets with the goal of stopping DDoS attacks.
Anycast technology is a network addressing and routing method in which incoming requests can be routed to a variety of different locations. It can be used to balance the attack load across a network of scrubbing servers.
Scrubbing software that is designed to look at IP reputation, abnormal attributes and suspicious behavior, can uncover and filter out malicious DDoS packets, thus permitting only clean traffic to make it through to the server.
How can NETSCOUT help?
NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.
Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.
NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.
Blocking Inbound and Outbound Cyberthreats
Watch this demo to learn how to how to block inbound and outbound cyber threats with NETSCOUT’s Arbor Edge Defense (AED)