Home Features Features Defending Against UDP-Based DDoS Attacks

Defending Against UDP-Based DDoS Attacks

pexels soumil kumar 735911 scaled
pexels soumil kumar 735911 scaled

One of the most common DDoS (distributed denial of service) cyberattacks, a UDP flood is a volumetric attack in which a target is overwhelmed with User Datagram Protocol (UDP) packets. UDP works on top of the IP – the Internet Protocol – and is used to relay datagrams over a network.

The purpose of such an attack is to exploit the process a server follows when it is sent a UDP packet to one of its ports. When this occurs, a server first checks to see whether any programs running are listening for requests from the specified port. If not, the server will send back a message alerting the sender that the destination could not be reached. By initiating enormous numbers of requests, a UDP flood will overload a target’s routers, firewalls and servers with the massive number of incoming UDP packages. The result is that the overworked network resources and bandwidth are exhausted and the network will be knocked offline for normal, legitimate traffic.

Volumetric cyber attacks, already popular with hackers in previous years, have only ramped up in the age of COVID-19 as people’s heavy reliance on remote services has increased. Attacks may be done for a range of purposes from extorting money (by threatening a large-scale attack, often by demonstrating using a smaller one) to simply causing problems for the heck of it. They can be extremely damaging to organizations.

Amplifying the problem

These DDoS attacks can frequently make use of “botnets” in the form of compromised machines used — often unwittingly — as part of an attack to overload victims’ systems with DNS response traffic. DNS servers are the servers used for turning the domain names typed into a browser address bar into a numeric IP address to take people to the correct website. By directing massive numbers of look-up requests to vulnerable DNS servers, using the target victim’s spoofed IP address, the targeted system is overloaded.

These attacks are especially formulated so that the DNS response is considerably larger than the original request — thereby amplifying the attack, hence their being referred to as amplification attacks. A DDoS attack of 27Gbps can be amplified to as much as 300Gbps by way of amplification.

In the first several months of 2020, Amazon Web Services (AWS) reported a UDP reflection vector (an amplification method in which the attacker uses a third party component to direct attack traffic to a target) that sent an unprecedented volume of 2.3 Tbps (terabytes-per-second) to an unnamed target. This CLDAP (Connectionless Lightweight Directory Access Protocol) attack was approximately 44% larger than previous similar volumetric attacks observed by AWS. It resulted in three days of elevated threat levels before it subsided.

The categorization problem

The biggest challenge when it comes to detecting and blocking DDoS attacks is identifying malicious traffic. To use an analogy, a UDP flood volumetric attack is a bit like phoning up a hotel repeatedly and asking to be put through to the room of guests who does not exist. The person answering the call at the hotel will waste valuable time looking up the fictitious guests and then telling the person calling that they are not staying at the hotel. If enough phone calls are made, it will make it harder for real potential customers to get through to the reception desk. Why does the receptionist keep picking up the phone? Simple: Because they don’t know whether they’re being phoned by a time-waster or a real would-be guest. Whether you ignore legitimate calls because you think they’re fake (a false positive) or you fail to spot malicious calls (a false negative), both lead to less than optimal outcomes.

What is needed to help deal with such attacks is a robust DDoS protection solution that can identify and respond to a wide variety of DDoS incidents. These systems should be able to counter UDP flood and DNS amplification attacks. They can do this by absorbing and filtering malicious traffic by using special, cloud-based, clusters able to scale in order to accommodate DDoS attacks without causing the service to go offline. These systems will also allow legitimate traffic to get through, thereby not resulting in customer loyalty-damaging periods of being temporarily knocked offline. Specialist security systems should additionally be able to block protocol attacks like UDP traffic that makes requests of non-existent ports, while intelligently filtering out malicious clients from real ones.

Help is at hand

DDoS attacks are a problem that’s not going away any time soon. Such attacks are getting larger, longer in duration, and more sophisticated all the time. Fortunately, so are the tools for helping to deal with them. While this problem might sound (and is) a nightmare for companies, organizations and individuals to face, help is available to mitigate the issue. So that you’re able to concentrate on offering the right services to the users who rely on you — and not having to worry about unwanted downtime.