UDP Flood
UDP Flood
An attacker can flood a server with UDP packets targeted at random ports. The server will process the packet, discover there is no application, and then waste time sending an ICMP Destination Unreachable reply.
Sample Pcap
Follow the tcpdump guide to record a pcap during an attack to analyze it.
13:02:41.051373 192.168.0.1.1935 > 198.251.81.119.17710: udp 341 (DF) [tos 0x28] (ttl 48, id 0, len 369)
E(.q..@.0..Q......Qw..E..]..HTTP/1.1 200 OK
CACHE-CONTROL:
In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 17710 (our server). It is a udp packet with the DF (don't fragment) flag set.
The content of the packet shows that it is an HTTP reply.
Here's another similar packet:
13:02:41.081976 172.16.0.1.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)
EH....@.2.'N.-....Qw...+..
.HTTP/1.1 200 OK
CACHE-CONTROL:
This time, the source IP (172.16.0.1) is sending a UDP packet to 198.251.81.119 port 38699 (our server). Notice each time, the UDP packets are sent to a different, random port.
How to Block
First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are BuyVM, check the web panel to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.
Using the packet filter firewall, you will want to block all unwanted UDP packets. The easiest way to do this is to first whitelist the packets you want (create a rule that allows all good UDP packets in), then blacklist all remaining UDP (create a rule to drop all remaining UDP packets):
ext_ip="192.168.0.1"
pass in quick proto udp to $ext_ip port {domain ntp}
block drop quick proto udp to $ext_ip
This would whitelist DNS and NTP packets but drop all other UDP packets.
See Also
DDoS Defense