Mechanisms of UDP Flood Attack and Defense
This section describes the mechanisms of UDP flood attack and defense.
UDP Flood Attack
UDP is a connectionless protocol. No connection is set up between the client and server before data transmission. If packet loss occurs during the data transmission from the client to the server, UDP cannot detect the packet loss or send any error message. Therefore, UDP is usually considered an unreliable transmission protocol.
In some cases, UDP may become very useful because compared with TCP, UDP has the outstanding speed advantage. TCP provides some security and reliability mechanisms, but at the cost of high overhead and slow transmission speed. In contrast, in UDP leaves these mechanisms to higher-layer protocols to achieve high transmission speed.
However, UDP can be exploited by hackers to launch UDP flood attacks. UDP flood attacks are bandwidth attacks. In UDP flood attacks, attackers use zombies to send a large number of oversized UDP packets to target servers at high rates, which brings the following adverse impacts:
- Network bandwidth resources are exhausted and links are congested.
- The large number of UDP flood attack packets with changing source IP addresses or ports deteriorate the performance of session-based forwarding devices or even crash the network.
UDP flood attacks can be prevented using UDP fingerprint learning, UDP-TCP association, or rate limit. UDP fragment attack defense can work in UDP fingerprint learning or rate limit mode. UDP flood attack defense is used as an example to describe the attack defense mechanism. The mechanism of UDP fragment attack defense is similar to that of UDP flood attack defense.
UDP Fingerprint Learning
UDP flood attack packets have certain characteristics. Generally, UDP flood attack packets have some common features, such as the same character string or content. Therefore, UDP fingerprint learning can be used to prevent UDP flood attacks.
As shown in Figure 1, when the UDP traffic exceeds a specific threshold, fingerprint learning is triggered. The FW dynamically generates fingerprints based on the characteristics of attack packets and then discards the packets matching the fingerprints.
UDP-TCP Association
UDP is a connectionless protocol. Therefore, source authentication does not apply to UDP flood attack defense. Therefore, you can enable TCP source authentication or control measures if UDP attacks occur and use the whitelist generated by the TCP protection measures to determine whether to discard the UDP packets.
For example, some services, such as the gaming service, use TCP for authentication and UDP for data transmission. In this case, you can enable the FW to verify UDP packets based on the TCP service authentication. If the UDP service is under attack, enable TCP attack defense on the FW to use the TCP attack defense whitelist to permit only the UDP packets matching the whitelist. Figure 2 illustrates the association mechanism.
Rate Limit
The FW can limit the rate of UDP packets destined for the same destination IP address and discard excess UDP packets to prevent network congestion.
The rate limit technique cannot distinguish normal packets from attack packets. Therefore, it is recommended that the rate limit technique be used only when UDP fingerprint learning and UDP-TCP association fail to defend against UDP flood attacks.