| Name |
UDP Flood |
|
| Likelyhood of attack |
Typical severity |
| Low |
High |
|
| Summary |
An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack. |
| Prerequisites |
This type of an attack requires the ability to generate a large amount of UDP traffic to send to the desired port of a target service using UDP. |
| Solutions | To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-770 |
Allocation of Resources Without Limits or Throttling |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-125 |
An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1498.001 |
Network Denial of Service:Direct Network Flood |
|