Certain application-layer protocols that rely on the User Datagram Protocol (UDP) have been identified as potential attack vectors. These include

A distributed reflective denial-of-service (DRDoS) is a form of distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP servers and bandwidth amplification factors (BAFs) to overwhelm a victim’s system with UDP traffic.

By design, UDP is a connection-less protocol that does not validate source Internet Protocol (IP) addresses. Unless the application-layer protocol uses countermeasures such as session initiation in Voice over Internet Protocol, an attacker can easily forge the IP packet datagram (a basic transfer unit associated with a packet-switched network) to include an arbitrary source IP address. [1] When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected denial-of-service (DoS) attack.

Certain commands to UDP protocols elicit responses that are much larger than the initial request. Previously, attackers were limited by the linear number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate between 10 and 100 times the original bandwidth. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale, using multiple amplifiers and targeting a single victim, DDoS attacks can be conducted with relative ease.

The potential effect of an amplification attack can be measured by BAF, which can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request. [2] [3]

The following is a list of known protocols and their associated BAFs. CISA offers thanks to Christian Rossow for providing this information. For more information on BAFs, please see Christian's blog and associated research paper.

Protocol Bandwidth Amplification Factor Vulnerable Command DNS 28 to 54 see: TA13-088A [4] NTP 556.9 see: TA14-013A [5] SNMPv2 6.3 GetBulk request NetBIOS 3.8 Name resolution SSDP 30.8 SEARCH request CharGEN 358.8 Character generation request QOTD 140.3 Quote request BitTorrent 3.8 File search Kad 16.3 Peer list exchange Quake Network Protocol 63.9 Server info exchange Steam Protocol 5.5 Server info exchange Multicast DNS (mDNS) 2 to 10 Unicast query RIPv1 131.24 Malformed request Portmap (RPCbind) 7 to 28 Malformed request LDAP 46 to 55 Malformed request [6] CLDAP [7] 56 to 70 — TFTP [23] 60 — Memcached [25] 10,000 to 51,000 — WS-Discovery 10 to 500 —

In March 2015, the CERT Coordination Center of the Software Engineering Institute issued Vulnerability Note VU#550620 describing the use of mDNS in DRDoS attacks. Attackers can leverage mDNS by sending more information than can be handled by the device, thereby causing a DoS condition. [8]

In July 2015, Akamai Technologies' Prolexic Security Engineering and Research Team (PLXsert) issued a threat advisory describing a surge in DRDoS attacks using RIPv1. Malicious actors are leveraging the behavior of RIPv1 for DDoS reflection through specially crafted request queries. [9]

In August 2015, Level 3 Threat Research Labs reported a new form of DRDoS attack that uses portmap. Attackers are leveraging the behavior of the portmap service through spoofed requests to flood a victim’s network with UDP traffic. [10]

In October 2016, Corero Network Security reported a new DDoS amplification attack exploiting LDAP directory services servers against its customers. [11]

In November 2017, Netlab 360 reported that CLDAP is now the third most common DRDoS attack, behind DNS and NTP attacks. [12]

In February 2018, SENKI reported an increase in Memcached-based reflection DDoS attacks (via UDP/TCP port 11211) with an unprecedented amplification factor. [24]

In September 2019, Akamai reported DDoS attacks exploiting WS-Discovery protocol (via TCP/UDP port 3702. [26]