Breaking Down DDoS UDP Flood Attacks

Telesoft Telesoft

A UDP flood is a type of volume-based DDoS (Distributed Denial of Service) attack, where large numbers of UDP (User Datagram Protocol) packets are sent to a target server, limiting its ability to carry out its functions. UDP traffic doesn’t require a three-way handshake to make a connection like TCP (Transmission Control Protocol), it runs with lower overhead and is ideal to carry data that doesn’t need to be checked and rechecked, such as VoIP. This means it is easier for attackers to generate large traffic volumes with tools like Low Orbit Ion Cannon (LOIC) and UDP Unicorn.

DDoS UDP Flood Attack

When using this type of DDoS attack the primary aim is to overwhelm the target network with packets to random UDP ports with a forged source IP address. These requests force the target host to look for the application that is running on those random ports (which may or may not exist) and flood the network with Internet Control Message Protocol (ICMP) destination unreachable packets (Blackhole routing), thereby blocking legitimate requests. Blackhole routing is a commonly used technique used as a last resort against DDoS attacks by routing all traffic to a null route/address which inadvertently drops any packets.

This attack can be managed by deploying perimeter defences such as Intrusion Detection Systems and Anti-DDoS techniques in networks to filter out unwanted network traffic. The target network would then never receive nor respond to malicious UDP packets, however this does risk preventing legitimate traffic from accessing services.

A more granular approach is available in the form of BGP Network Layer Reachability Information (NLRI/FlowSpec). This encoding format allows for more specific attributes of traffic to be defined and propagated between routers. FlowSpec uses BGP to carry 12 attributes of information from Layer 3-4 to provide services similar to that of a Firewall Access Control List, BGP would be able to filter out traffic based on more specific criteria combinations made from the 12 attributes, resulting in more efficient DDoS mitigation.

NLRI/FlowSpec attributes:

  1. Source Prefix
  2. Source Port
  3. Destination Prefix
  4. Destination Port
  5. IP Protocol
  6. Packet Length
  7. Port number (matches source OR destination TCP/UDP ports)
  8. ICMP Type
  9. ICMP Code
  10. DSCP number
  11. Fragment Type
  12. TCP Flag Type

It is thought that over 56% of DDoS attacks are UDP floods, which is why DDoS attack visibility is so important. Security analysts need the right tools to enable them to quickly determine the origins of an attack, trace its footprint within the network, identify the type of attack vector and if it is masking something more sinister such as data exfiltration.

In a carrier scale network DDoS attacks are an on-going challenge facing operators today, as resources for initiating a DDoS attack are becoming more readily available, so do the scale and frequency of the attacks.  Telesoft utilises unsampled flow monitoring to provide complete network visibility, allowing for comprehensive digital forensics and analysis to assist threat investigation teams. As well as attack detection and mitigation using the latest threat signatures, cyber intelligence and encryption standards available.

Book a demo here with us to learn more about our cyber products or contact our sales team here.

Related products