DRDoS Amplification Using UDP

Certain application-layer protocols that rely on User Datagram Protocol (UDP) may allow an attacker to greatly increase the bandwidth available to perform distributed denial-of-service (DDoS) attacks.

Threat ID:: CC-1834
Category:: DOS
Threat Severity:: Medium
Threat Vector:
Published:: 5 December 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

UDP is a connection-less protocol that does not validate source Internet Protocol (IP) addresses. Unless a protocol uses countermeasures, like session initiation, an attacker can forge the IP packet datagram to include an arbitrary source IP address. When many UDP packets have their source IP address spoofed to the user’s IP address, the destination server (known as an amplifier) responds to the user, creating a reflected denial-of-service (RDoS) attack.

Certain commands to UDP protocols elicit larger responses than the initial request. Previously, DoS attacks were limited by the linear number of packets directly sent to the target; now a single packet can generate hundreds of times the original bandwidth. The amount by which the bandwidth increases is known as the bandwidth amplification factor (BAF), and is calculated as the ratio of the request payload in bytes to the answer payload in bytes (e.g. a 2 byte request produces a 100 byte answer if the BAF is 50). This is called an amplification attack, and can be combined with a large-scale reflective DoS attack, using multiple amplifiers, to perform distributed reflective denial-of-service (DRDoS) attacks.

For further information please see US-CERT Alert TA14-017A.

Protocol	BAF	Vulnerable Command
DNS	28-54	TA13-088A
NTP	556.9	TA14-013A
SNMPv2	6.3	GetBulk request
NetBIOS	3.8	Name resolution
SSDP	30.8	SEARCH request
CharGEN	358.8	Character generation request
QOTD	140.3	Quote request
BitTorrent	3.8	File search
Kad	16.3	Peer list exchange
Quake Network Protocol	63.9	Server info exchange
Steam Protocol	5.5	Server info exchange
mDNS	2-10	Unicast query
RIPv1	131.24	Malformed request
RPCbind	7-28	Malformed request
LDAP	46-55	Malformed request
CLDAP	56-70	–

Remediation steps

Type	Step
	Consider the use of a third party DDoS mitigation tool. Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose. Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.

Type

Step

Consider the use of a third party DDoS mitigation tool.
Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.

Last edited: 11 November 2020 9:42 am