Anyone who saw the title and clicked in has probably taken a beating from a UDP attack. I still remember the first time the business was paralyzed by UDP Flood late at night, the alarm text message buzzed like a death charm, the traffic curve spiked directly into a steep mountain peak - and then popped, all services offline.
These days, the cost of an attack is horribly low. Just any script boy to spend tens of dollars to rent a botnet, you can use the UDP torrent to wash your business to pieces. More disgusting is the reflection amplification attack, the attacker with a small broken package can pry hundreds of times the traffic bounce back, can not prevent the root cause is: UDP this protocol is inherently “unconnected”, it is not like TCP has a three handshakes as a buffer, to come to the packet will have to be followed, regardless of whether or not you are malicious.
Why do many traditional high defense devices fall on UDP? Because their design thinking is still stuck in the TCP era. Relying on SYN cookies, UDP has no handshake at all. UDP has no state. I have tested a traditional firewall, after opening the UDP protection directly to the normal audio and video call latency to more than 500ms - this is no longer a protection, is a self-defeating.
The program that can really fight, you have to start from the protocol characteristics. Social business is inseparable from real-time audio and video, voice chat, real-time location sharing, these are all UDP's own son. You can not be killed with a stick, you have to learn to “precision demolition of bombs”.
First of all, I would like to say a tearful lesson: do not believe those vendors who brag about “fully automated second to solve the attack” UDP attack types are strange, there are DNS reflection, NTP amplification, CLDAP reflection, and customized port Flood traffic, there is no algorithm that can be eaten in all scenarios. I have seen the most pitiful case is a vendor's “intelligent cleaning” heartbeat packets as attack traffic to the fuse, directly leading to the online user collective offline.
Reliable UDP traffic cleaning, have to take three steps: fingerprint learning, dynamic rules, tunnel separation. First of all, fingerprint learning, a good social high defense CDN will learn UDP traffic characteristics independently when business is normal. For example, the size of your voice packets is usually between 120-200 bytes, the frequency of sending packets per second is not more than 50, and the destination port is concentrated in a certain range. This data will form a traffic fingerprint, and once it deviates from the baseline immediately triggers cleaning.
Dynamic rules are the real-world tools. For example, CDN5's approach is tricky: instead of simply dropping packets, they insert a challenge mechanism for suspected attack traffic. Normal client UDP packets will be marked and required to carry a specific Token response, botnets usually can not comply with the response, directly kicked out of the queue. The measured impact of this program on business latency is less than 3ms, almost senseless.
As for tunnel separation, this is an even tougher trick. Physically segregate normal traffic and attack traffic to different links for processing. Like CDN07's program is to assign an independent cleaning tunnel to each customer, the attack traffic will be diverted to the distributed cleaning node cluster, using FPGA cards to do wire-speed filtering. When I played 200Gbps UDP Flood during the pressure test, the delay of normal voice traffic only increased by 8ms, which is really top performance.
When it comes to configuration, it's not really that much of a mystery. Take the Nginx streaming module as an example, the key is to control the rate of sending packets and concurrent connections:
But the real killer is in the stack optimization. the default UDP buffer size in Linux simply can't handle the flood, so you have to tune it manually:
08Host in this piece to do more absolute, they directly changed the kernel of the UDP packet processing scheduling algorithm, the business traffic and suspected attack traffic into different CPU core processing, to avoid single core is broken. Tested the same hardware configuration, their cleaning efficiency is higher than the standard program 40% or more.
Speaking of which, I have to spit out a sentence: some vendors blow what AI protection, the result is that the bottom layer is still iptables with a few frequency rules. Really useful is always the details piled up out of the engineering experience. For example, how to prevent DNS reflection attacks? The edge nodes have to respond to recursive query requests, rather than putting the traffic back to the source station. cdn5's DNS protection module will directly cache authoritative records, external queries simply can not hit the source station IP.
There are also more insidious slow UDP attacks, which send only a few packets per second but take up connection resources for a long time. To deal with this, you have to set an idle timeout, but if you set it too short, it will accidentally kill normal long connections. Our solution is a layered timeout: the first 5 minutes to allow long connections, 5 minutes after the client is required to send a heartbeat packet every 90 seconds, no heartbeat automatically clean up. This parameter has been adjusted no less than 20 times to find the balance.
Lastly, I'd like to talk about a real-world case. Last year, a social app was subjected to a CLDAP reflection attack, the attack traffic reached 300Gbps. at that time, three CDNs were used in turn, and only one of them was able to carry the attack. The key difference is that they did protocol depth identification: normal CLDAP packet length is fixed at 48 bytes, the length of the attack packet is up to 1000+ bytes. Through simple length filtering directly cut 90% attack traffic, there is no need to go on the complex algorithm.
So you see, there is no silver bullet to prevent UDP attacks. You have to combine protocol characteristics, business scenarios, and infrastructure layers of defense. A good social high-defense CDN should be like a seasoned emergency room doctor - able to quickly triage, simple treatment of minor illnesses, isolation and treatment of serious illnesses, and never delay normal business operations.
When picking a service provider, focus on three points: cleaning links with or without physical isolation, whether the rule base can be customized, and whether there is protocol-level optimization. Those who only sell bandwidth expansion vendors, sooner or later you pit into the ditch. After all, these days, even the CDN have to “defense teammates” - some of the attack traffic is simply from friends hacked nodes.
As for building your own or using cloud protection? My advice is very direct: unless the team has the kernel stack development capabilities, otherwise honestly looking for professional vendors.UDP protection is a bottomless pit, just to fight against the new reflection attack is enough to support a security team. Currently tested, CDN07 in the game voice scene performance violence, 08Host suitable for large-scale live broadcast, CDN5 API gateway to the Internet of Things protocol support is the best.
At the end of the day, the nature of protection is a game of costs and benefits. It's not bandwidth you're buying, it's the experience of someone else who has filled the hole. After all, you certainly don't want to be left alone with a flood of water when the alarm goes off at 3am.
