A UDP Flood Attack involves the sending of highly-spoofed UDP packets at an extremely high packet rate using a wide source IP range. The unexpectedly high volume of incoming UDP packets overwhelms the victim’s network, exhausting its resources and available bandwidth until it goes offline.
UDP stands for User Datagram Protocol, one of the oldest members of the Internet protocol suite used by programs running on a network’s various computers. It is a sessionless/connectionless alternative communications protocol to Transmission Control Protocol (TCP) primarily used to establish low-latency loss tolerating connections between Internet applications by sending short messages called datagrams. Various key Internet applications draw on UDP, including the Domain Name System (DNS) where queries need to be quick and consist only of a single request followed by a single reply packet.
UDP floods are not as straightforward as TCP floods as they tend to be difficult to detect and are challenging to efficiently block. UDP floods are generally highly effective in flooding networks with undesired traffic. The spoofed UDP packets contain random or fixed source IP addresses, which is straightforward to accomplish because the UDP protocol is connectionless, so does not involve any kind of handshake mechanism or session. There is no built-in protection to limit the rate of the UDP DoS flood. The attacker will send typically large UDP packets to single destination or to random ports. This can be executed with fairly few resources because of the absence of an initial handshake.
UDP can be employed in a Reflective type of attack in which large volumes of unsolicited DNS responses attack a DNS server, or in VoIP and NTP environments. This kind of attack can impact the network and security elements on route to the target server, in particular the firewalls. Firewalls will become overwhelmed by the flood connections very quickly because they open a new state for each UDP packet.
A UDP flood attack, which takes the form of a DNS amplification attack (also known as an “alphabet soup attack”), is possible because UDP does not define specific packet formats. This means that attackers can create large packets and fill them with garbage data (“alphabet soup”), and send them out to the host under attack.
UDP floods are one of the most common DoS and DDoS attacks today, despite making use of one of the oldest protocols on the web. An offender’s goal is typically to overbear firewalls and other components of the more resilient network infrastructures.