UDP Flood

UDP Flood

An attacker can flood a server with UDP packets targeted at random ports. The server will process the packet, discover there is no application, and then waste time sending an ICMP Destination Unreachable reply.

Sample Pcap

Follow the tcpdump guide to record a pcap during an attack to analyze it.

13:02:41.051373 > udp 341 (DF) [tos 0x28] (ttl 48, id 0, len 369)
E(.q..@.0..Q......Qw..E..]..HTTP/1.1 200 OK

In the above, we see the source IP ( is sending a UDP packet to port 17710 (our server). It is a udp packet with the DF (don't fragment) flag set.

The content of the packet shows that it is an HTTP reply.

Here's another similar packet:

13:02:41.081976 > udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)
.HTTP/1.1 200 OK

This time, the source IP ( is sending a UDP packet to port 38699 (our server). Notice each time, the UDP packets are sent to a different, random port.

How to Block

First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are BuyVM, check the web panel to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.

Using the packet filter firewall, you will want to block all unwanted UDP packets. The easiest way to do this is to first whitelist the packets you want (create a rule that allows all good UDP packets in), then blacklist all remaining UDP (create a rule to drop all remaining UDP packets):

pass in quick proto udp to $ext_ip port {domain ntp}
block drop quick proto udp to $ext_ip

This would whitelist DNS and NTP packets but drop all other UDP packets.

See Also

DDoS Defense