Connect with us

Hi, what are you looking for?


Network Security

UDP Attacks Increase as DDoS Tactics Shift

Attackers launching distributed denial-of-service attacks are increasingly turning to the user datagram protocol, according to security researchers.  

Attackers launching distributed denial-of-service attacks are increasingly turning to the user datagram protocol, according to security researchers.  

In their report on DDoS (distributed denial-of-service) attacks for the third quarter of 2013, Prolexic Technologies noted that UDP attacks totaled 29.32 percent of all attacks – a 10 percent increase compared to the previous quarter. It is also 10 percent higher than the proportion of SYN attacks detected during the third quarter (roughly 18 percent).

According to the firm, the increases in UDP and UDP fragment floods are tied to the proliferation of global attack campaigns using PHP booter web shells.

Other firms have noted an uptick in UDP-based DDoS attacks as well.

“As an availability security practice we see attacks of all types and sizes, but the largest in volume and likewise most common attacks are user datagram protocol (UDP) based,” said Jeffrey Lyon, founder of anti-DDoS firm Black Lotus. “Unlike transmission control protocol (TCP), UDP is a stateless protocol which does not require sessions to be established between two hosts. This makes it easy for attackers to spoof a target to be attacked, and send those spoofed requests to vast numbers of servers across the Internet.”

Advertisement. Scroll to continue reading.

“The servers will in turn attack the spoofed target with responses substantially magnified in size,” he continued. “The result is a catastrophically large distributed denial of service (DDoS) attack consisting of malicious domain name systems (DNS), simple network management protocol (SNMP) or other UDP responses.”

The good news is that most amplification attacks – DNS, SNMP, CHARGEN, etc – rely on IP spoofing to generate the large return payloads that ramp up an attack, observed Vann Abernethy, senior product manager for NSFOCUS.  

“There is a best practice that has been around for a while…which states that ingress filtering at the edge will help significantly reduce the effectiveness of spoofed address DDoS attacks,” he said. “It will not stop the attacker from also forging a source address, but mitigation of this then becomes a matter of either shutting off or rate-limiting the source address. Egress filtering is another good practice to help ensure that no packets leave your network with internal addresses. Finally, turn off services you aren’t using (e.g. SNMP, CHARGEN).”

“Another development within the last year (July 2013) is the implementation of the Response-Rate Limiting (RRL) module by the Internet Systems Consortium (ISC) into BIND software,” said Abernethy. “This is yet another step that network administrators can take to prepare themselves for a potential amplification attack. However, this is only a bandage on the much larger issue of open-resolver DNS servers – so long as attackers can bounce traffic off these, the issue will remain.”

The popularity of UDP-based attacks means it is only a matter of time before cybercriminals launch DNS amplification attacks using application protocols like Trivial File Transfer Protocol (TFTP), remote authentication dial-in user service (RADIUS) or network time protocol (NTP), blogged Cisco Systems Threat Research Engineer Jaeson Schultz.

“TFTP has limitations in that an attacker could send a read or write request to a TFTP server on port 69, but the TFTP server would respond to the spoofed source IP address (the victim) with either an acknowledgement packet or data packet (depending on the initial request),” Schultz blogged. “Amplification within this protocol isn’t optimal for attackers, but if enough TFTP servers are publicly reachable this could still be an effective attack. The TFTP server also responds from an ephemeral port potentially complicating victim mitigation efforts.”

“RADIUS (ports: 1645 / 1646 / 1812 / 1813) has the same amplification potential as TFTP, the only difference is the response type,” he continued. “RADIUS servers will respond to the “access request” with an “access reject” message. It’s unclear how many Remote Access Servers (RAS) are publicly accessible from the Internet to make this an effective attack. NTP can be leveraged much like SNMP with a larger amplification factor than either TFTP or RADIUS (though we won’t discuss how).”

NTP servers are plentiful so be aware that port 123 UDP traffic may also carry substantial risks, he added.

“It’s important for network defenders and especially security architecture groups to think through bandwidth saturation and all possible choke points for both ingress and egress traffic,” Schultz blogged. “This process needs to happen well in advance of an actual attack.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...