WP What is UDP | From Header Structure to Packets Used in DDoS Attacks | Imperva

User datagram protocol (UDP)

151.2k views
DDoS

What is user datagram protocol (UDP)

User datagram protocol (UDP) operates on top of the Internet Protocol (IP) to transmit datagrams over a network. UDP does not require the source and destination to establish a three-way handshake before transmission takes place. Additionally, there is no need for an end-to-end connection.

Since UDP avoids the overhead associated with connections, error checks and the retransmission of missing data, it’s suitable for real-time or high performance applications that don’t require data verification or correction. If verification is needed, it can be performed at the application layer.

UDP is commonly used for Remote Procedure Call (RPC) applications, although RPC can also run on top of TCP. RPC applications need to be aware they are running on UDP, and must then implement their own reliability mechanisms.

The benefits and downsides of UDP

UDP has a number of benefits for different types of applications, including:

  • No retransmission delays – UDP is suitable for time-sensitive applications that can’t afford retransmission delays for dropped packets. Examples include Voice over IP (VoIP), online games, and media streaming.
  • Speed – UDP’s speed makes it useful for query-response protocols such as DNS, in which data packets are small and transactional.
  • Suitable for broadcasts – UDP’s lack of end-to-end communication makes it suitable for broadcasts, in which transmitted data packets are addressed as receivable by all devices on the internet. UDP broadcasts can be received by large numbers of clients without server-side overhead.

At the same time, UDP’s lack of connection requirements and data verification can create a number of issues when transmitting packets. These include:

  • No guaranteed ordering of packets.
  • No verification of the readiness of the computer receiving the message.
  • No protection against duplicate packets.
  • No guarantee the destination will receive all transmitted bytes. UDP, however, does provide a checksum to verify individual packet integrity.

UDP header packet structure

UDP wraps datagrams with a UDP header, which contains four fields totaling eight bytes.

The fields in a UDP header are:

    • Source port – The port of the device sending the data. This field can be set to zero if the destination computer doesn’t need to reply to the sender.
    • Destination port – The port of the device receiving the data. UDP port numbers can be between 0 and 65,535.
    • Length – Specifies the number of bytes comprising the UDP header and the UDP payload data. The limit for the UDP length field is determined by the underlying IP protocol used to transmit the data.
    • Checksum – The checksum allows the receiving device to verify the integrity of the packet header and payload. It is optional in IPv4 but was made mandatory in IPv6.
      The fields in a UDP header

      The fields in a UDP header

UDP DDoS threats and vulnerabilities

UDP’s lack of a verification mechanism and end-to-end connections makes it vulnerable to a number of DDoS attacks. Attackers can spoof packets with arbitrary IP addresses, and reach the application directly with those packets.

This is in contrast to TCP, in which a sender must receive packets back from the receiver before communication can start.

UDP specific DDoS attacks include:

  • UDP Flood

UDP flood involves large volumes of spoofed UDP packets being sent to multiple ports on a single server, knowing that there is no way to verify the real source of the packets. The server responds to all the requests with ICMP ‘Destination Unreachable’ messages, overwhelming its resources.

In addition to the traditional UDP flood, DDoS perpetrators often stage generic network layer attacks by sending mass amounts of fake UDP packets to create network congestion. These attacks can only be mitigated by scaling up a network’s resources on demand, as is done when using a cloud DDoS mitigation solution.

  • DNS Amplification

DNS amplification attack involves a perpetrator sending UDP packets with a spoofed IP address, which corresponds to the IP of the victim, to its DNS resolvers. The DNS resolvers then send their response to the victim. The attack is crafted such that the DNS response is much larger than the original request, which creates amplification of the original attack.

When done on a large scale with many clients and multiple DNS resolvers, it can overwhelm the target system. A DDoS attack with capacity of 27Gbps can be amplified to as much as 300Gbps using amplification.

  • UDP Port Scan

Attackers send UDP packets to ports on a server to determine which ports are open. If a server responds with an ICMP ‘Destination Unreachable’ message, the port is not open. If there is no such response, the attacker infers that the port is open, and then use this information to plan an attack on the system.

See how Imperva DDoS Protection can help you with UDP DDoS attacks.

How Imperva helps mitigate UDP attacks

Imperva DDoS protection services mitigate the above-described attacks as follows:

Volume Based Attacks: Imperva counters UDP floods and DNS amplification attacks by absorbing and filtering out malicious traffic using our global network of scrubbing centers—cloud-based clusters that scale on demand to counter DDoS attacks. The scrubbing center identifies and drops malicious requests, while allowing legitimate user traffic to get through to your network.

Protocol Attacks: Imperva can block “bad” traffic—for example, UDP traffic aimed at non-existent ports—before it even reaches your site. Imperva also provides visitor identification technology that differentiates between legitimate website visitors (humans, search engines etc.) and automated or malicious clients.