UDP Flood
A UDP Flood is a type of denial-of-service attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond.
The firewall protecting the targeted server can also become exhausted as a result of UDP flooding, resulting in a denial-of-service to legitimate traffic.
Malware/Threat actors
| Name | Type | Years | Source |
|---|---|---|---|
| DarkComet | malware | 2012 | Crypto-DarkComet-Report.pdf
|
| Lazarus Group | threat actor | 2011-2014 | Operation-Blockbuster-Report.pdf
Operation-Blockbuster-RAT-and-Staging-Report.pdf Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf Operation-Blockbuster-Destructive-Malware-Report.pdf |
Preventions
Most operating systems limit the response rate of ICMP packets in part to disrupt DDoS attacks that require ICMP response. One drawback of this type of mitigation is that during an attack legitimate packets may also be filtered in the process. If the UDP flood has a volume high enough to saturate the state table of the targeted server’s firewall, any mitigation that occurs at the server level will be insufficient as the bottleneck will occur upstream from the targeted device.
Detections
<Detection techniques>
Toolkit
<Toolkit instructions, if applicable>