What is an UDP Flood DDoS Attack?
A UDP flood is a form of volumetric Denial-of-Service (DoS) attack where the attacker targets and overwhelms random ports on the host with IP packets containing User Datagram Protocol (UDP) packets. In this type of attack, the host looks for applications associated with these datagrams. When none are found, the host issues a “Destination Unreachable” packet back to the sender. The cumulative effect of being bombarded by such a flood is that the system becomes inundated and therefore unresponsive to legitimate traffic.
In a UDP flood DDoS attack, the attacker may also choose to spoof the IP address of the packets. This ensures that the return ICMP packets are not able to reach their host, while also keeping the attack completely anonymous.
What Are the Signs of a UDP Flood Attack?
Each time a new UDP packet is received by the server, resources are used to process the request. The first step in this process involves the server determining if any programs are running at the specified port. If no programs at that port are receiving packets, then the server issues an ICMP packet to notify the sender that the destination could not be reached.
When UPD flood DDoS attacks emanate from more than one machine, the attack is considered a Distributed Denial of Service (DDoS) threat. When multiple machines are used to launch UDP floods, the total traffic volume will often exceed the capacity of the link(s) connecting the target to the Internet, resulting in a bottleneck.
Why Are UDP Flood DDoS Attacks Dangerous?
UDP is a networking protocol that is both connectionless and session-less. Unlike TCP, UDP traffic does not require a three-way handshake. As such, it requires less overhead and is perfectly suited for traffic such as chat or VoIP that doesn’t need to be checked and rechecked.
The same properties that make UDP ideal for certain kinds of traffic also make it more susceptible to exploitation. Without an initial handshake to ensure a legitimate connection, UDP channels can be used to send a large volume of traffic to any host. There are no internal protections that can limit the rate of a UDP flood. As a result, UDP flood DOS attacks are exceptionally dangerous because they can be executed with a limited amount of resources.
How to Stop and Prevent a UDP Flood DDoS Attack?
Preventing a UDP flood DDoS attack can be challenging. Most operating systems attempt to limit the response rate of ICMP packets with the goal of stopping DDoS attacks. The downside to this form of mitigation is that it also filters out legitimate packets. In the case of a truly high volume flood, even if the server’s firewall is able to mitigate the attack, congestions or slowdowns will in-all-likelihood occur upstream, causing disruption anyway.
Anycast technology, using deep packet inspection, can be used to balance the attack load across a network of scrubbing servers. Scrubbing software that is designed to look at IP reputation, abnormal attributes and suspicious behavior, can uncover and filter out malicious DDoS packets, thus permitting only clean traffic to make it through to the server.