UDP Based Denial-of-Service (DoS) Attack
Since the first documented Denial-of-Service (DoS) attack was launched in 1974 by a thirteen year old student, after he executed a program, he had written, on a PLATO terminal in one of the laboratories at the university research laboratory in the University of Illinois Urbana-Champaign, USA., that forced thirty one (31) users to power off at once, DoS attacks have increased in terms of frequency, duration, intensity and sophistication. DoS attacks can now be launched from anywhere in the world, by almost anybody with the requisite knowledge and skill set, against an unsuspecting victim. The objective of a DoS attack is to disrupt and deprive legitimate users from accessing online services which may lead to a lost in revenue and reputational damage for the vendor concerned and the service provider.
Denial-of-Service (DoS) Attack
A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices or other network resources due to the actions of a malicious actor that has subjected the system to a flood of unsolicited traffic, which consumes the available bandwidth, creating network congestion and exhausting or depleting network resources.
Distributed Denial-of-Service (DDoS) Attack
The essential difference between a Denial-of-Service (DoS) Attack and a Distributed Denial-of-Service (DDoS) Attack, in that instead of one computer system being used to attacked a victim, multiple computer systems are used to attack the victim.
User Datagram Protocol (UDP)
The User Datagram Protocol (UDP) has a number of properties that makes it susceptible to exploitation for DoS attacks. UDP is a connectionless protocol that uses datagrams embedded in Internet Protocol (IP) packets for communication without the need to create a session between the source and destination before transmission can take place. UDP does not validate the source Internet Protocol (IP) address. UDP is a generic carrier for higher-level protocols such as Network Time Protocol (NTP), Lightweight Directory Access Protocol (LDAP), Domain Name System (DNS), and Simple Network Management Protocol (SNMPv2). These protocols are often exploited in DoS attacks.
Prior to launching a DoS attack, a malicious actor will conduct a reconnaissance or recon of the victims network, using a combination of active and passive scanning to map its attack surface, identifying IP addresses, open ports and systems that have being misconfigured together with other vulnerabilities that can and may be exploited in a DoS Attack or leveraged in a reflective DoS attack. Active scanning entails sending test traffic into a network and querying individual endpoints, collecting basic profile information such as IP addresses, device name, make, model, firmware and operating systems. Passive scanning entails the silent analyses of network traffic to identify endpoints and to establish patterns in the traffic. Current software and patch versions on network devices can be checked and referenced against public databases containing lists of current patches, to determine which devices are using software that can be exploited in a DoS attack. Higher-level protocols such as LDAP, SNMPv2 and mDNS listening on open ports may be exploited to obtain potentially sensitive information of the devices in a network.
DoS attacks can be divided into direct and reflection attacks.
Direct attacks involve traffic sent directly to the victim from some infrastructure controlled by a malicious actor.
In reflection attacks, Internet connected third party servers are involuntarily used to reflect attack traffic towards the victim, through the use of IP Spoofing. Reflection, furthermore, serves to obscure the source of the attack traffic and to hide the identity of the malicious actor.
Internet Protocol (IP) Spoofing
The Internet Protocol (IP) provides a unified and simple abstraction for communication over the Internet. It identifies hosts by their IP addresses, allowing for data exchanges across networks. The simplicity of the Internet Protocol has proven immensely powerful however it has a number of inherent limitations, such as the lack of packet-level authenticity. Routers perform only a lookup for the destination address of incoming packets, the authenticity of the source IP address of packets is not validated on the path between sender and receiver. IP Spoofing is the creation of, and the modification of an Internet Protocol (IP) packet, replacing the genuine source address with a forged source address. By masquerading as a different host, a malicious actor can hide his or her true identity and location. The ability to forge the source IP address of a packet enables a number of cyber security threats, ranging from the impersonation of remote hosts to DDoS Reflection Attacks.
Certain commands to internet accessible services and higher-levels protocols, elicit responses that are much larger than the initial request. In the past, malicious actors were limited by the linear number of packets that could be directly sent to the victim to conduct a DoS attack, now a single packet can generate between 10 and 100 times the original bandwidth. This is called an amplification attack. Services such as Memcached and higher-level protocols such as NTP, LDAP, DNS, mDNS and SNMPv2 are used as accessories for amplification, increasing the payload of the attack traffic sent to a victim, enhancing the effectiveness of the DoS attacks. An Amplification attack is typically combined in a reflective DoS attack, in which third party servers with internet accessible services and higher-level protocols vulnerable to exploitation, are involuntarily used to reflect and amplify the attack traffic.
Distributed Denial-of-Service (DDoS) Reflection/Amplification Attack
A Distributed Denial of Service (DDoS) Reflective/Amplification attack incorporates all of the elements discussed thus far into a single DoS attack upon an unsuspecting victim. Multiple computer systems are used, together with reflection combined with amplification to send attack traffic to a victim with the objective of disrupting and depriving legitimate users from accessing its online services.
Intermediaries are increasingly being used to launch DoS attacks against victims. Today, DoS attacks are primarily launched via a Botnet. A botnet is a collection of internet connected computers and devices, geographically dispersed, which have, through security vulnerabilities or device weakness, been compromised and hijacked by a malicious actor, known as a Botnet Controller, who exercises control over them through the use of command and control software. The Botnet Controller can, through a command-and-control (C&C) server, instruct individual computers and devices, known as 'bots' or 'zombies', to send attack traffic to a victim. A Botnet Controller will offered his botnet as an on demand DDoS attack service, known as a "Booters" or as a "Booter service". Today, anybody, with the requisite knowledge and means, can hire the services of a "Booters" or of a "Booter service" for a specified time and fee, to launch a DDoS attack against a target of choice.
Bandwidth Amplification Factor
The potential effect of an amplification attack can be measured by the Bandwidth Amplification Factor (BAF), which is calculated as the number of UDP payload bytes that an amplifier sends in response to a request, compared to the number of UDP payload bytes of the request.
Number of (UDP payload in bytes) of response received from amplifier
Bandwidth Amplification Factor of Services & Protocols
The list of services and protocols, that use UDP as a generic carrier, currently processed by CSIRT-IE in monthly reports, together with their associated bandwidth amplification factor are listed below.
|Service / Protocol||Bandwidth Amplification Factor||Vulnerable Command|
|Memcached||10,000 - 51,000||Memcached get request|
|LDAP||46 - 70||Malformed request|
|DNS Open-resolver||28 - 54||Unrestricted Recursive Resolution|
|Portmap (RPCbind)||7 - 28||Malformed request|
|MC-SQLR||1 - 25||MC-SQLR request|
|mDNS||2 - 10||Unicast query|
|NetBIOS||2.56 - 3.85||Name Release or Name Conflict|
Services & Protocols - Amplification - Recommendations
|Service / Protocol||UDP Port||Recommendation|
|Memcached||11211 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|NTP||123 / UDP||Apply Firewall Rules - Block MONLIST responses|
|CHARGEN||19 / UDP||Apply Firewall Rules - Block Port / Restrict Access||MS-RDPEUDP||3389 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|LDAP||389 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|DNS Open-resolver||53 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|SSDP||1900 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|Portmap (RPCbind)||111 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|MC-SQLR||1434 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|mDNS||5353 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|SNMPv2||162 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
|NetBIOS||137 / UDP||Apply Firewall Rules - Block Port / Restrict Access|
Additional Information.Radware - DDoS Survival Handbook
Sophos - DoS & Spoof Prevention
Internet Engineering Task Force (IETF) - RFC4732 - Internet Denial-of-Service Considerations
Internet Engineering Task Force (IETF) - RFC768 - User Datagram Protocol
Internet Engineering Task Force (IETF) - RFC760 - DOD Standard Internet Protocol
Internet Engineering Task Force (IETF) - RFC5405 - UDP Usage Guidelines for Application Designers
ICSI - An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks
Cybersecurity & Infrastructure Security Agency (CISA-US) - UDP-Based Amplification Attacks
Europol - World's Biggest Marketplace Selling Internet Paralysing DDoS Attacks Taken Down
CORE - Millions of Targets Under Attack - A Macroscopic Characterization of the DoS Ecosystem
Internet Society - Addressing the Challenge of IP Spoofing
Youtube video - UDP-based amplified reflection attacks