UDP Reflection Attacks - AWS Best Practices for DDoS Resiliency

UDP Reflection Attacks

UDP reflection attacks exploit the fact that UDP is a stateless protocol. Attackers can craft a valid UDP request packet listing the attack target’s IP as the UDP source IP address. The attacker has now falsified—spoofed—the UDP request packet’s source IP. An attacker then sends the UDP packet containing the spoofed source IP to an intermediate server. The server is tricked into sending its UDP response packets to the targeted victim IP rather than back to the attacker’s IP address. The intermediate server is used because it generates a response that is several times larger than the request packet effectively amplifying the amount of attack traffic sent to the target IP address.

The amplification factor, which is the ratio of response size to request size, varies depending on which protocol the attacker uses: DNS, NTP, or SSDP. For example, the amplification factor for DNS can be 28 to 54 times the original number of bytes. So if an attacker sends a request payload of 64 bytes to a DNS server, they can generate over 3400 bytes of unwanted traffic to an attack target. Figure 3 illustrates the reflection tactic and amplification effect.

Figure 3: UDP Reflection Attack