A User Datagram Protocol flood attack is a type of denial of service attack (DoS) which relies on the basis that UDP connections are stateless. We recently discussed about TCP SYN attacks being used to DoS targets; now we’re talking about UDP which doesn’t work on the 3 way handshake of TCP.
One benefit of UDP over TCP is that it doesn’t have the overhead associated with this 3 way handshake; one of the drawbacks is the inability to guarantee the order packets are being received in with UDP.
When a UDP connection is attempted, the target machine will try to route the destination port to the corresponding application. If it can’t route the packets as no application is listening on that port, the system will respond with an ICMP Destination Unreachable packet.
The way a UDP flood attack works is by saturating random ports of a targets machine with an influx of UDP packets. The origin IP of these packets are usually spoofed, so the target machine is unable to filter them and ends up replying to completely unsuspecting machines. Once the target machine is saturated with bogus UDP packets they’ll be unable to respond to real users until the backlog is cleared. At this point, the DoS attack has been successful.
3 UDP Flood Attack Protection Techniques
1) One of the most effective ways to stop UDP flood attacks is by blocking malicious UDP packets at the firewall level. Sitting between the source and target of the attack, the firewall can stop the server from being depleted of resources. Unfortunately the downside to this is that you must be careful the firewall doesn’t end up being an innocent casualty, for they too can run out of resources.
2) A setting that you can make on the target machine is to simply limit the amount of ICMP Destination Unreachable packets that can be sent out in a given time period. If this limit is reached the server will simply drop the packets instead of replying to them, freeing up some resources. This method does have the downside that innocent UDP connections may also be effected, however at this point you’re already in the midst of a DoS attack and their connection was going to fail anyway (there’s no application on that port)
3) Use proprietary UDP Flood Protection hardware/software: such as Dell’s SonicWALL or Cisco routing equipment. These attempt to monitor UDP throughput and block them, similar to a standard firewall but a lot more focused. Although they vary in functionality, some of them are comprised of their own logging features so they know which UDP ports per target are likely to fail. If they ‘know’ the packets are going to fail when they get to the destination target, and there’s a suspiciously high level of UDP traffic, they will drop the packet before it can reach the target.