Distributed denial of service (DDoS) attacks have grown significantly in size over the last three years. A recent instance nicknamed “Memcrashed” was the latest to break the record for largest DDoS attack ever recorded, with 1.7 Tbps of traffic. How did this attack achieve such a massive traffic tidal wave? Through a technique called UDP amplification, a departure from the blueprint for most major DDoS assaults in recent memory, which relied on botnets of IoT devices. WatchGuard CTO Corey Nachreiner explained how UDP amplification works and why these attacks have so much DDoS potential in a recent column for Cyber Defense Magazine.
One of the reasons UDP amplification can generate such enormous DDoS attacks is because UDP traffic does not require a connection between two devices before sending information. So, if a computer receives a UDP packet, it doesn’t verify where the packet is coming from before it sends a response. DDoS attackers can take advantage of this by sending UDP requests to public internet servers using the victim’s IP address as the source of the packet. Since UDP is connectionless, the server will blindly send its response to the victim’s computer, even though the original request came from the attacker. What’s worse, cyber criminals have found UDP services that will send replies that are far larger than the initial request. The Memcrashed attack used a protocol called “Memcached” that produces a response 10,000-51,000 times the size of the request!
Here’s an excerpt from Corey’s article where he wraps up how UDP amplification attacks work:
“To summarize, USP amplification attacks succeed because UDP in spoof-able, that spoof-ability allows attackers to reflect some requests off of common public servers to unknowing victims, and some UDP services allow for tiny requests that generate exponentially larger replies. While each of these UDP services have slightly different request characteristics, all UDP amplification attacks essentially prey on these three issues combined together.”
These kind of attacks will most likely continue, since there are many UDP services out there that could be manipulated by attackers. Luckily, there are ways that network administrators can help prevent these attacks from happening. Read the full article in Cyber Defense Magazine to learn about best practices for defense and learn more about DDOS attacks here on Secplicity.