DRDoS Amplification Attacks Using UDP
Certain application-layer protocols that rely on User Datagram Protocol (UDP) may allow an attacker to greatly increase the bandwidth available to perform DDoS attacks.
UDP does not validate source IP addresses, meaning unless a protocol uses countermeasures, an attacker can forge the IP packet datagram to include an arbitrary source IP address. When many UDP packets have their source IP address spoofed to the user’s IP address, the destination server (known as an amplifier) responds to the user, creating a reflected denial-of-service (RDoS) attack.
Certain commands to UDP protocols elicit larger responses than the initial request; a single packet can generate hundreds of times the original bandwidth. This is called an amplification attack, and can be combined with a large-scale RDOS attack, using multiple amplifiers, to perform distributed reflective denial-of-service (DRDoS) attacks.
Detection of DRDoS attacks is not easy because of their use of large, trusted servers that provide UDP services. Network operators of these exploitable services may apply traditional DoS mitigation techniques. To detect a DRDoS attack, watch out for abnormally large responses to a particular IP address, which may indicate that an attacker is using the service.
Resolution
- Consider the use of a third-party DDoS mitigation tool.
- Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
- Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.
Affected Platforms
Any UDP Communication
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.