+4 votes
in Security by (242k points)
UDP flood

1 Answer

+5 votes
by (1.6m points)
Best answer

What is a UDP flood?
How is a UDP flood attack carried out?
Measures to protect against UDP flood attacks


UDP flood

The so-called UDP flood attack is a denial of service attack. As with other well-known flood attacks, such as ping flood, HTTP flood, or SYN flood, the attacker massively sends data packets to the target system with the intention of overloading, rendering it unusable and preventing it from respond to legitimate requests. If the system reaches this state, the service is interrupted..

  1. What is a UDP flood?
  2. How is a UDP flood attack carried out?
  3. Measures to protect against UDP flood attacks

What is a UDP flood?

The UDP flood or UDP flood is one of the so-called volumetric DoS attacks : like the ping flood , its principle is based on saturating the target system with a massive flow of incoming data. UDP flood , therefore, is different from ping of death, which takes advantage of a memory error to render the target system unusable, or SYN flood, which locks server resources. All the mentioned DoS attacks have a common goal: to crash the victim's system to prevent the victim from making legitimate use of it.

The UDP flood attack became known to the general public due to several spectacular piracy attacks against international organizations . In addition to the Church of Scientology, various media and financial sector companies were affected. Under the flood of incoming data that the attack brought, many of the affected websites and services crashed and were sometimes unavailable to their users for hours. To perpetrate these attacks, the powerful Low Orbit Ion Cannon (LOIC) tool, designed to trigger UDP floods, was used ..

How is a UDP flood attack carried out?

The UDP flood attack procedure is based on the particular characteristics of the User Datagram Protocol (UDP). If a UDP packet reaches a server, the operating system looks for waiting applications on the specified port. If no application is found, the server should inform the sender. Because UDP is a connectionless protocol , the server uses the Internet Control Message Protocol (ICMP) to inform the sender that the packet could not be delivered.

In the case of a UDP flood attack , the following sequence occurs:

  1. The attacker sends UDP packets with a spoofed IP sender address to random ports on the target system.
  2. On the destination system side, the following process must be repeated for each incoming packet :
    1. Check if an application is waiting on the port specified in the UDP packet. Since this is a randomly selected port, this is rarely the case.
    2. Send an ICMP packet? Destination Unreachable? to the supposed sender. Since the IP address has been spoofed, these packets are usually received by a third party.
The attacker saturates the target system by mass sending UDP data packets.

Measures to protect against UDP flood attacks

One sign that we are falling victim to a volumetric attack is the sudden increase in the volume of incoming network traffic . Network traffic is routinely monitored by network providers and other specialized companies. In this way, if there are signs of an attack, steps can be taken to minimize the damage..

The main measures that provide effective protection against UDP flooding include the following:

  • Limiting the speed of ICMP responses per unit of time: This throttling of ICMP responses is typically done at the operating system level.
  • Filtering at the firewall level on the server - This allows suspicious packets to be dropped. However, the firewall can also collapse under the volume of data from a UDP flood attack .
  • UDP packet filtering , except for DNS, at the network level: DNS queries are usually executed using UDP. With this measure, any other source generating a massive amount of UDP traffic will be considered suspicious and the packets in question will be discarded.

To mitigate the possibility of serious attacks, server operators also turn to specialized cloud services like Cloudflare, which distribute network traffic to a large number of data centers around the world. This allows for more bandwidth and thus better dampens the incoming data volume in the event of an attack. Additionally, the data stream is filtered by default to prevent various types of attacks from being carried out.