UDP Based Amplification Attacks: Understanding the Threat

Written By Ryan Harris

Cyberattacks are constantly evolving and becoming more sophisticated but UDP amplification attacks are relatively simple ways for attackers to leverage your resources for their gain. These attacks leverage the User Datagram Protocol (UDP) to flood a target system with a massive amount of traffic, overwhelming its resources and causing it to crash or become unavailable. Ultimately, this is a form of a Distributed Denial of Service (DDoS) attack that takes relatively few resources to pull off.

More than likely, you may not be the victim of the attack, but an unwitting intermediary to one of these attacks.

NIST recently published an advisory for a previously unknown vulnerability in the Service Location Protocol (SLP) that allowed for an unauthenticated remote attacker to register an arbitrary service with a vulnerable target and then use that target for amplification of traffic by up to 2,200X its original volume. This goes to show that these attacks are still threat to networks around the world with vulnerable protocols still being uncovered.

We’ll take a closer look at UDP-based amplification attacks, how they work, and what organizations can do to protect themselves, and others.

How UDP-based Amplification Attacks Work

UDP is a connectionless protocol that is used for transmitting data between network devices. Unlike Transmission Control Protocol (TCP), which establishes a connection before sending data, UDP simply sends data packets to their destination without any verification or acknowledgement.

Attackers can take advantage of this characteristic of UDP by spoofing the source IP address of their packets to that of the victim system, making it appear as if the traffic is coming from the target system. They then send a large number of UDP packets to a group of intermediary servers that have vulnerabilities allowing them to amplify the traffic by sending a much larger response back to the victim system. This results in a massive flood of traffic overwhelming the target system, effectively rendering it unavailable. Different protocols will amplify traffic by different amounts, this is called the amplification factor.

Commonly Exploited Protocols

There are several commonly exploited protocols that attackers use to amplify the traffic in UDP-based amplification attacks. The most common protocols are DNS (Domain Name System), NTP (Network Time Protocol), and SNMP (Simple Network Management Protocol) but many more protocols are vulnerable.

  • DNS amplification attacks involve the attacker sending DNS queries to vulnerable DNS servers with a spoofed source IP address of the victim system. The DNS server then sends a much larger response to the victim system, amplifying the traffic. DNS traffic can be amplified by a factor of 28x-54x and with the huge number of DNS servers publicly available on the internet, it’s a popular vector.

  • NTP amplification attacks are particularly brutal because vulnerable versions of NTP that return traffic to the “monlist” command could amplify malicious traffic by up to 200x! I became aware of NTP amplification attacks when we were accidentally playing host to several different servers in a previous job of mine. The environment (higher education) was particularly wide open, and it was several days of playing whack-a-mole before we were able to get all of the vulnerable servers fixed.

  • SNMP amplification attacks aren’t quite as effective as the previous two for two main reasons, SNMP is less likely to be publicly available than DNS or NTP and because its amplification factor is only about 6x. That said, it can still be a problem and vulnerable systems should be scanned and updated.

  • Other commonly vulnerably protocols include Bittorrent, LDAP, TFTP, and more.

Protecting Against UDP-based Amplification Attacks

To protect against UDP-based amplification attacks, organizations should take several proactive measures:

  1. Implement best practices for network security, including firewalls, intrusion detection and prevention systems, and network segmentation.

  2. Patch and update all systems and applications regularly to prevent vulnerabilities that can be exploited in these attacks.

  3. Disable any unnecessary services and protocols that can be used in these attacks, including DNS, NTP, and SNMP.

  4. Implement rate limiting on UDP traffic to prevent amplification attacks.

  5. Monitor network traffic and system logs for any signs of abnormal activity.

  6. Implement Unicast Reverse Path Forwarding checks across your network.

Conclusion

UDP-based amplification attacks are a significant threat to the health of the Internet, and you can help be a good steward by helping thwart these attacks, even if you’re not the ultimate victim. By implementing best practices for network security, patching and updating systems, and monitoring network traffic, organizations can protect themselves against these attacks and minimize the risk of downtime and data loss.

The US Cybersecurity and Infrastructure Security Agency (CISA) has an excellent article on the topic that I recommend you read.

Ryan Harris

I’m Ryan and I’m a Senior Network Engineer for BlueAlly (formerly NetCraftsmen) in North Carolina doing routing, switching, and security. I’m very interested in IPv6 adoption, SD-Access, and Network Optimization. Multi-vendor with the majority of my work being with Cisco and Palo Alto.

Previous

Are Consumer VPN Providers Advertising Truthfully?
Next

Understanding Network Segmentation: Best Practices and Implementation Strategies