UDP flood attacks exploit the lack of connection control in the User Datagram Protocol. Unlike TCP, UDP doesn’t manage sessions, track connections, or limit traffic. Attackers take advantage by sending large numbers of UDP packets to various ports on a target.
If no application listens on a given port, the system often replies with an ICMP “Destination Unreachable” message. These replies consume bandwidth and processing power. Attackers also spoof source IP addresses to hide their identity and misdirect response traffic.
UDP floods resemble sudden spikes in legitimate traffic, but the cause differs. DDoS attacks are intentional and hostile, while user surges are natural. Many modern attacks also use amplification. An attacker sends small UDP requests to servers like DNS, NTP, or memcached, using the victim’s IP. The servers respond with much larger messages to the victim, greatly increasing the impact.
One major case was the 2018 attack on GitHub using memcached servers, which hit 1.3 Tbps. Even without amplification, a UDP flood can saturate a target if the upstream network pushes more traffic than the target can absorb.
Key Packet Indicators:
UDP floods involve a high rate of UDP packets aimed at one or many ports on a target. These packets have an IP protocol value of 17 (ip.proto==17) and no flags, unlike TCP. Attackers often target either known service ports to overload them or random ports to trigger ICMP “destination unreachable” replies. They usually spoof or randomize the source IP and port. In basic floods, the payload carries junk or is nearly empty, since the goal is volume. An important sign is an unusual spike in UDP traffic, especially if the system usually handles mostly TCP. A web server that typically sees 95% TCP traffic showing a jump in UDP, especially to odd ports, should raise concern. A related sign is a surge of ICMP Type 3 messages going out from the victim to spoofed sources. Monitoring tools should track UDP packet rates and bandwidth. A sharp rise above normal levels often signals a flood. If many destination ports on the target are hit rapidly, it may look like a scan but is more likely an attack meant to drain resources. Normal UDP traffic follows known patterns tied to services like DNS (port 53) or VoIP. It usually includes a clear request and response. UDP flood traffic, by contrast, is random or targets ports that cause heavy load. It often doesn’t expect a reply. Amplified floods, like DNS-based ones, use small queries to trigger large responses from third-party servers. This results in large UDP packets hitting the victim, often marked with a source port of 53. A pattern of high UDP volume, frequent ICMP “port unreachable” replies, or broad port targeting points strongly to a flood attack.
Wireshark:
- Filter for high UDP traffic to a target IP: udp && ip.dst ==<VICTIM IP>
- Detect High UDP Packets from Multiple Sources (Possible Flood): udp && (frame.time_delta < 0.01) (adjust
0.01based on baseline traffic) - UDP Amplification/Reflection Attacks: (udp.dstport == 53 || udp.dstport == 123 || udp.dstport == 1900 || udp.dstport == 11211) && (udp.length > 500)
- Statistics → Conversations → UDP → Sort by “Packets” or “Bytes”
