UDP clamped on service provider links

• Previous message (by thread): A perl script to assist with summarizing QoS counts on Cisco Catalyst 37xx and 35xx series switches
• Next message (by thread): UDP clamped on service provider links
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"It depends on the network." is really the only answer.

It's the kind of thing that happens quietly and often can be transient in
nature (e.g. temporary "big stick" filters to deal with an active attack).

As far as the reason it happens to UDP:

UDP is a challenge because it's easy to leverage for reflection attacks
where the source IP is spoofed to be the target.

The major targets are small services that are typically left open on host
systems.  The big ones being NTP, DNS, and more recently SSDP (universal
plug and play left open on consumer routers).  Once in a while you see some
really old protocols open like CHARGEN, but these are less common.  The
ones like NTP and DNS are popular because a small request can trigger a
large response (e.g. amplification attack) if services are not
appropriately locked down on the host.

A while back a big one a lot of people were caught off guard by was the NTP
MONLIST function which resulted in up to a 500:1 amplification.

Hopefully rate limiting UDP traffic is something that doesn't happen often,
and when people do rate-limit it they ideally limit the scope to known
problem protocols (like NTP and DNS) and base limits such that normal use
shouldn't be a problem.  That said I'm sure there are some who just
rate-limit everything (likely arguing that UDP is "mostly peer-to-peer
anyway").  It's a bad practice no doubt.

TCP is still vulnerable to some level of reflection, but these are
generally easy to mitigate, and because the setup and teardown for TCP is
so small, not very effective for denial of service. There isn't much that
happens traffic-wise until the source address has confirmed a connection
which is what avoids spoofing being as big of a problem with TCP as it is
for UDP.  Similarly ICMP is generally not a problem because ICMP responses
are small by design.





On Mon, Jul 27, 2015 at 10:12 AM, Glen Kent <glen.kent at gmail.com> wrote:

> Hi,
>
> Is it true that UDP is often subjected to stiffer rate limits than TCP? Is
> there a reason why this is often done so? Is this because UDP is stateless
> and any script kiddie could launch a DOS attack with a UDP stream?
>
> Given the state of affairs these days how difficult is it going to be for
> somebody to launch a DOS attack with some other protocol?
>
> Glen
>



-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

• Previous message (by thread): A perl script to assist with summarizing QoS counts on Cisco Catalyst 37xx and 35xx series switches
• Next message (by thread): UDP clamped on service provider links
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]