DDoS Protection

UDP Flood Attacks

The User Datagram Protocol (UDP) is a stateless transmission protocol that allows information and requests to be sent to a server without requiring a response or acknowledgment that the request was received. To launch a UDP flood, an attacker sends a large number of UDP packets with spoofed source addresses to random ports on a targeted host. The host checks for applications associated with these datagrams, and finding none, replies back with a “Destination Unreachable” packet. The attacker sends more and more packets until the host is overwhelmed and can no longer respond to legitimate users.

UDP flood attack

DNS Amplification Attack

DNS amplification attacks are orchestrated when the attacker instructs bots or a botnet to send DNS queries with a forged source address to a legitimate server. This results in a large response sent back to the attacker’s victim, the real owner of the forged address. Attacks using thousands of name servers can direct gigabits of data per second against the target, while the actual bot used to initiate the assault is invisible to the victim.

NTP Amplification Attack

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems. Similar to a DNS amplification attack, an NTP amplification attack is possible because it uses the UDP protocol, which allows source IP spoofing, and the NTP server returns much more data than the requester sends for many commands.

Typically, when carrying out NTP amplification, an attacker sends a request with the "monlist" command to the NTP server with the source IP address set to that of the attacker(s) intended denial-of-service target. The "monlist" command is used for diagnostics on the NTP server and returns a list of the last 600 IP addresses that have synchronized with the NTP server. This list is returned to the target in 30 separate UDP packets that are 448 bytes each. The overall size may vary from server to server, but the volume of data is nearly 1,000 times larger than the packet sent by the attacker.

SSDP Amplification Attack

Simple Service Discovery Protocol is a network protocol used for the advertisement and discovery of network services and presence information, and is most commonly used as the basis of the discovery for Universal Plug and Play. Implementations send and receive information using the User Datagram Protocol on port number 1900. SSDP is abused mainly due to its connectionless state that allows source IP address spoofing and the amplification factor in the response.

According to ShadowServer data, more than 15 million devices on the Internet are SSDP enabled and may be vulnerable to use in a DDoS attack. Similar to any type of reflective attack, an attacker must spoof the source IP address of the request to match the intended target, so that it causes the vulnerable devices in the botnet to flood the target with SSDP responses.

Learn more about how Verisign mitigates these types of DDoS attacks