UDP Flood Attack

How UDP Flood Attack Works

UDP is inherently vulnerable to flooding because it provides no connection state, authentication, or flow control. A sender can transmit UDP datagrams to any IP:port combination without prior negotiation, and the receiving host must process each packet to determine whether a service is listening. When a UDP packet arrives at a closed port, the OS kernel generates an ICMP Port Unreachable message — consuming CPU and outbound bandwidth. When it arrives at an open port (DNS on 53, NTP on 123, SNMP on 161), the listening application must parse and reject the malformed data, consuming application-layer resources. At high packet rates (millions of packets per second), the target's network interface card, kernel network stack, and firewall connection tracking tables all become bottlenecks. Unlike TCP floods that exploit protocol state, UDP floods are pure bandwidth exhaustion attacks — the only defense is having more capacity than the attacker or filtering upstream.

Real-World Examples

Impact & Risk Assessment

UDP floods are the simplest and most common volumetric DDoS technique, accounting for approximately 55-62% of all DDoS attacks by volume. Their effectiveness comes from the combination of UDP's stateless nature (no handshake means unlimited spoofing), the availability of massive botnets, and the fundamental physics of bandwidth saturation — no amount of server hardening helps when the network pipe is full. Impact extends beyond the target: shared hosting environments see all customers affected when one is attacked; upstream ISP links may saturate, causing collateral damage to unrelated networks; and stateful security devices (firewalls, IDS) along the path may fail under the load of tracking millions of UDP flows. UDP-dependent services are disproportionately affected: VoIP calls drop with as little as 1% packet loss, online gaming becomes unplayable at 50ms additional latency, and DNS resolution fails when UDP port 53 is overwhelmed. Financial impact scales with downtime duration — gaming companies report losses of $25,000-$40,000 per hour during DDoS attacks, while enterprises with SLA obligations face contractual penalties alongside direct revenue loss.

How to Detect UDP Flood Attack

Monitor inbound UDP packet rates and compare against established baselines — a typical web server receives minimal UDP traffic (primarily DNS responses and NTP), so a sudden spike from hundreds to hundreds of thousands of packets per second is a clear indicator. Track the ratio of UDP to TCP traffic; legitimate web traffic is overwhelmingly TCP, so a shift where UDP exceeds 30-40% of total traffic indicates a likely flood. Analyze source IP entropy: legitimate UDP traffic comes from a relatively stable set of DNS resolvers and NTP servers, while UDP floods show thousands of unique source IPs with high address space entropy. Monitor ICMP Port Unreachable generation rate — a sharp increase indicates UDP packets hitting closed ports at high rates. Check conntrack table utilization on firewalls and stateful devices: rapid filling of the connection tracking table with UDP entries signals a flood. Deploy NetFlow/sFlow analysis at the network perimeter to detect volume anomalies before they impact services — flow data captures traffic patterns with minimal overhead even during high-volume events.

How to Prevent UDP Flood Attack

Deploy upstream DDoS mitigation (cloud-based scrubbing or ISP-level filtering) as the primary defense — on-premises hardware cannot mitigate a flood that exceeds your network link capacity. Configure firewalls to drop UDP packets to ports where no service is listening, eliminating ICMP Port Unreachable generation and reducing CPU load. Disable ICMP Port Unreachable responses in the kernel (net.ipv4.icmp_ratemask on Linux) to prevent outbound ICMP traffic amplifying the flood's bandwidth impact. Implement conntrack table tuning: increase nf_conntrack_max, reduce UDP timeout values (net.netfilter.nf_conntrack_udp_timeout=10 instead of default 30), and consider using NOTRACK rules for high-volume UDP services to bypass connection tracking entirely. For UDP services that must remain accessible (DNS, game servers), implement application-level rate limiting, packet validation (check packet structure before processing), and geographic filtering (drop traffic from regions with no legitimate users). Implement BCP 38 source address validation at your network edge and advocate for its adoption by your upstream providers — widespread BCP 38 deployment would eliminate spoofed UDP floods entirely. Consider dedicated DDoS mitigation appliances positioned inline for organizations with high-bandwidth connections.

Code Examples

# === Kernel tuning for UDP flood resilience ===

# Disable ICMP Port Unreachable responses to prevent outbound amplification
# Bit 3 in icmp_ratemask controls Port Unreachable (Type 3)
iptables -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP

# Increase conntrack table size (default 65536 is too small under flood)
sysctl -w net.netfilter.nf_conntrack_max=2000000
sysctl -w net.netfilter.nf_conntrack_buckets=500000

# Reduce UDP conntrack timeout (default 30s → 10s)
# Entries expire faster, freeing conntrack slots during floods
sysctl -w net.netfilter.nf_conntrack_udp_timeout=10
sysctl -w net.netfilter.nf_conntrack_udp_timeout_stream=30

# Increase network receive buffer sizes
sysctl -w net.core.rmem_max=67108864
sysctl -w net.core.rmem_default=8388608
sysctl -w net.core.netdev_max_backlog=50000

# === iptables rules to filter UDP flood traffic ===

# Drop UDP packets to ports where no service listens
# List your legitimate UDP services explicitly
iptables -A INPUT -p udp --dport 53 -j ACCEPT     # DNS (if you run a DNS server)
iptables -A INPUT -p udp --dport 123 -j ACCEPT    # NTP (if you run NTP)
iptables -A INPUT -p udp --dport 1194 -j ACCEPT   # OpenVPN (if applicable)
# Drop all other inbound UDP
iptables -A INPUT -p udp -j DROP

# If you must accept UDP on certain ports, rate-limit per source IP
iptables -A INPUT -p udp --dport 53 -m hashlimit \
  --hashlimit-above 50/sec \
  --hashlimit-burst 100 \
  --hashlimit-mode srcip \
  --hashlimit-name udp_dns_limit \
  -j DROP

# Bypass conntrack for high-volume UDP services (reduces state table pressure)
iptables -t raw -A PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --sport 53 -j NOTRACK

# Anti-spoofing: enable reverse path filtering
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1

# Persist all sysctl settings
sysctl -p

import subprocess
import time
import logging
from collections import defaultdict

logger = logging.getLogger('udp_flood_monitor')

def get_udp_stats():
    """Read UDP statistics from /proc/net/snmp and conntrack"""
    stats = {}

    # Parse /proc/net/snmp for UDP counters
    with open('/proc/net/snmp', 'r') as f:
        lines = f.readlines()
        for i, line in enumerate(lines):
            if line.startswith('Udp:') and i + 1 < len(lines):
                headers = line.split()
                values = lines[i + 1].split()
                if headers[0] == 'Udp:' and values[0] == 'Udp:':
                    for h, v in zip(headers[1:], values[1:]):
                        stats[f'udp_{h}'] = int(v)
                break

    # Get conntrack stats
    try:
        result = subprocess.run(
            ['cat', '/proc/sys/net/netfilter/nf_conntrack_count'],
            capture_output=True, text=True
        )
        stats['conntrack_count'] = int(result.stdout.strip())

        result = subprocess.run(
            ['cat', '/proc/sys/net/netfilter/nf_conntrack_max'],
            capture_output=True, text=True
        )
        stats['conntrack_max'] = int(result.stdout.strip())
    except (ValueError, FileNotFoundError):
        pass

    return stats

def get_interface_counters(interface='eth0'):
    """Read packet and byte counters from /sys/class/net"""
    base = f'/sys/class/net/{interface}/statistics'
    counters = {}
    for stat in ['rx_packets', 'rx_bytes', 'tx_packets', 'tx_bytes']:
        try:
            with open(f'{base}/{stat}', 'r') as f:
                counters[stat] = int(f.read().strip())
        except FileNotFoundError:
            counters[stat] = 0
    return counters

def monitor_udp_flood(
    interface='eth0',
    pps_threshold=100000,
    bps_threshold=1_000_000_000,  # 1 Gbps
    conntrack_pct_threshold=80,
    check_interval=5
):
    """Continuous UDP flood monitoring with multi-indicator alerting"""
    prev_counters = get_interface_counters(interface)
    prev_stats = get_udp_stats()
    prev_time = time.time()

    while True:
        time.sleep(check_interval)

        curr_counters = get_interface_counters(interface)
        curr_stats = get_udp_stats()
        curr_time = time.time()
        elapsed = curr_time - prev_time

        # Calculate rates
        rx_pps = (curr_counters['rx_packets'] - prev_counters['rx_packets']) / elapsed
        rx_bps = (curr_counters['rx_bytes'] - prev_counters['rx_bytes']) * 8 / elapsed
        tx_pps = (curr_counters['tx_packets'] - prev_counters['tx_packets']) / elapsed

        # UDP-specific: NoPorts = ICMP Dest Unreachable generated (closed port hits)
        noports_rate = 0
        if 'udp_NoPorts' in curr_stats and 'udp_NoPorts' in prev_stats:
            noports_rate = (curr_stats['udp_NoPorts'] - prev_stats['udp_NoPorts']) / elapsed

        # Conntrack utilization
        conntrack_pct = 0
        if 'conntrack_count' in curr_stats and 'conntrack_max' in curr_stats:
            conntrack_pct = (curr_stats['conntrack_count'] / curr_stats['conntrack_max']) * 100

        # Alert conditions
        if rx_pps > pps_threshold:
            logger.critical(
                f'HIGH PACKET RATE: {rx_pps:,.0f} pps inbound '
                f'({rx_bps / 1e9:.2f} Gbps), threshold: {pps_threshold:,}'
            )

        if noports_rate > 1000:
            logger.warning(
                f'UDP closed-port hits: {noports_rate:,.0f}/sec '
                f'(generating ICMP Port Unreachable responses)'
            )

        if conntrack_pct > conntrack_pct_threshold:
            logger.critical(
                f'CONNTRACK TABLE {conntrack_pct:.1f}% full '
                f'({curr_stats["conntrack_count"]:,}/{curr_stats["conntrack_max"]:,}) — '
                f'risk of dropping all new connections'
            )

        prev_counters = curr_counters
        prev_stats = curr_stats
        prev_time = curr_time

if __name__ == '__main__':
    logging.basicConfig(level=logging.INFO)
    monitor_udp_flood()

# Nginx reverse proxy architecture for UDP flood resilience.
# Nginx only processes TCP/HTTP — UDP floods hit the OS, not the application.
# Combined with kernel hardening, this isolates web services from UDP attacks.

worker_processes auto;
worker_rlimit_nofile 65535;

events {
    worker_connections 65535;
    multi_accept on;
    use epoll;
}

http {
    # Aggressive timeouts to reclaim resources during attacks
    keepalive_timeout       10s;
    client_header_timeout   5s;
    client_body_timeout     5s;
    send_timeout            5s;
    reset_timedout_connection on;

    # Connection and rate limiting per IP
    limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;
    limit_req_zone  $binary_remote_addr zone=req_per_ip:10m rate=30r/s;

    # Health check endpoint for load balancer monitoring
    server {
        listen 80;
        server_name _;

        # Quick health check — responds even under heavy load
        location /health {
            access_log off;
            return 200 'OK';
            add_header Content-Type text/plain;
        }
    }

    server {
        listen 443 ssl http2 backlog=65535;

        limit_conn conn_per_ip 30;
        limit_req zone=req_per_ip burst=50 nodelay;

        location / {
            proxy_pass http://backend;
            proxy_connect_timeout 3s;
            proxy_read_timeout    15s;
            proxy_send_timeout    5s;
        }
    }
}

Frequently Asked Questions

Related Attacks