UDP Reflection Attacks - AWS Best Practices for DDoS Resiliency

UDP Reflection Attacks

User Datagram Protocol (UDP) reflection attacks exploit the fact that UDP is a stateless protocol. Attackers can craft a valid UDP request packet listing the attack target’s IP address as the UDP source IP address. The attacker has now falsified—spoofed—the UDP request packet’s source IP. The UDP packet contains the spoofed source IP and is sent by the attacker to an intermediate server. The server is tricked into sending its UDP response packets to the targeted victim IP rather than back to the attacker’s IP address. The intermediate server is used because it generates a response that is several times larger than the request packet, effectively amplifying the amount of attack traffic sent to the target IP address.

The amplification factor is the ratio of response size to request size and it varies depending on which protocol the attacker uses: DNS, NTP, SSDP, CLDAP, Memcached, CharGen, or QOTD. For example, the amplification factor for DNS can be 28 to 54 times the original number of bytes. So, if an attacker sends a request payload of 64 bytes to a DNS server, they can generate over 3400 bytes of unwanted traffic to an attack target. UDP reflection attacks are accountable for larger volume of traffic in comparison to other attacks. The UDP Reflection Attack figure illustrates the reflection tactic and amplification effect.

UDP Reflection Attack