[Dr.WoW] [No.15] UDP Flood Attack and Defense Highlighted

Latest reply: May 26, 2015 09:06:38 4607 1 0 0

Let's review the UDP protocol before moving on to UDP flood attacks. As we know, TCP is a connection-oriented protocol, but UDP is a connectionless protocol. No connection is set up between the client and server before data transmission. If packet loss occurs during the data transmission from the client to the server, UDP cannot detect the packet loss or send any error message. Therefore, UDP is usually considered an unreliable transmission protocol.

Then why should we use an unreliable protocol like UDP? Is UDP useless?

Yes. UDP could be very useful in some scenarios. The biggest advantage of UDP over TCP is speed. TCP provides some security and reliability mechanisms, but at the cost of high overhead and slow transmission speed. In contrast, UDP leaves these mechanisms to higher-layer protocols to achieve high transmission speed.

However, UDP can be exploited by hackers to launch UDP flood attacks. UDP flood attacks are high-bandwidth attacks. In UDP flood attacks, attackers use zombies to send a large number of oversized UDP packets to target servers at high speed, bringing the following impacts:

  • Network bandwidth resources are exhausted, and links are congested.
  • The large numbers of UDP attack packets with changing source IP addresses or ports compromise the performance of session-based forwarding devices or even crash the network to cause a DoS.

Firewalls cannot prevent UDP flood attacks as they do to SYN flood attacks because UDP is connectionless and source authentication cannot be used. The, how do firewalls prevent UDP flood attacks?

1 Rate Limiting

A simple way to prevent UDP flood attacks is rate limiting. The rate limiting types are described as follows:

  • Incoming interface-based rate limiting: Limit the rate of an incoming interface and discard excess UDP packets.
  • Destination address-based rate limiting: Limit the rate of a destination address and discard excess UDP packets.
  • Destination security zone-based rate limiting: Limit the rate of a destination security zone and discard excess UDP packets.
  • Session-based rate limiting: Collect the statistics on UDP packets of each UDP session. If the rate of UDP packets reaches the alarm threshold, the session is locked and subsequent UDP packets matching the session are discarded. If no traffic matches the session in three or more consecutive seconds, the firewall unlocks the session and subsequent packets matching the session are permitted.

2 Fingerprint Learning

Rate limiting is effective to protect bandwidth, but may interrupt normal services. To resolve this problem, the firewalls also support fingerprint learning to prevent UDP flood attacks.

As shown in Figure 1-1, fingerprint learning is to check whether the payloads in UDP packets sent from the client to the server are identical to determine whether the packets are normal. Firewalls collect the statistics on the UDP packets destined to the target server. If the rate of UDP packets reaches the alarm threshold, the firewalls start the fingerprint learning. If identical features appear repeatedly, the features will be learned as fingerprints. Subsequent UDP packets matching the fingerprints will be considered attack packets and discarded. Those do not match any fingerprint will be forwarded by the firewalls.

Figure 1-1 Fingerprint learning

[Dr.WoW] [No.15] UDP Flood Attack and Defense-1323663-1 

UDP flood attack packets have some common features, such as identical character string or payload. Fingerprint learning is based on this fact. This is because attackers often use tools to graft UDP packets with identical payload to increase the UDP flood speed.

However, normal UDP packets have different payloads. Therefore, firewalls can learn the fingerprints of UDP packets to distinguish attack packets from normal packets to reduce false positives.

As shown in the following two packet capture screenshots, the two UDP packets destined for the same destination have identical payload. If a firewall receives a large number of such UDP packets, the firewall can determine that a UDP flood attack is going on.

[Dr.WoW] [No.15] UDP Flood Attack and Defense-1323663-2 

[Dr.WoW] [No.15] UDP Flood Attack and Defense-1323663-3

To sum up, firewalls prevent UDP flood attacks through rate limiting and fingerprint learning, with each having its own merits and limitations. Rate limiting is a simple and crude way to control the rate of UDP packets, but rate limiting discards packets indiscriminately and may interrupt normal services. In contrast, fingerprint learning is smarter and can distinguish attack packets from normal packets after learning the fingerprints of attack packets. Currently, fingerprint learning is a major measure to prevent UDP flood attacks and is supported by all Huawei firewall series.

3 Commands

Table 1-1 lists the rate limiting and fingerprint learning configuration commands on USG9500 V300R001, for example.

Table 1-1 Rate limiting and fingerprint learning configuration commands

Function

Command

Enable UDP flood attack defense.

firewall defend udp-flood enable

Configure interface-based UDP rate limiting.

firewall defend udp-flood interface { interface-type interface-number | all } max-rate max-rate-number ]

Configure IP address-based UDP rate limiting.

firewall defend udp-flood ip ip-address [ max-rate max-rate-number ]

Configure security zone-based UDP rate limiting.

firewall defend udp-flood zone zone-name [ max-rate max-rate-number ]

Configure session-based UDP rate limiting.

firewall defend udp-flood base-session max-rate max-rate-number

Configure IP address-based UDP flood fingerprint learning.

firewall defend udp-fingerprint-learn ip ip-address [ alert-rate alert-rate-number ]

Configure security zone-based UDP flood fingerprint learning.

firewall defend udp-fingerprint-learn zone zone-name [ alert-rate alert-rate-number ]

Configure UDP fingerprint learning parameters.

firewall defend udp-flood fingerprint-learn offset offset fingerprint-length fingerprint-length

 

 

 

 

To view the list of all Dr. WoW technical posts, click here

  • x
  • convention:

user_2790689
Created May 26, 2015 09:06:38 Helpful(0) Helpful(0)

Good.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login