At 3am that morning, my cell phone suddenly vibrated like crazy - the boss of the business department called me directly, and his voice changed tone: "The official website and core services are all jammed, and the users' complaints are blowing up! I instantly bounced up from the bed, even slippers can not wait to put on rushed to the computer, SSH connected to see, good guy, the server network card is directly full, inbound UDP traffic like a mad dog soared to 4Gbps. this is clearly a typical UDP Flood attack, and is not a small fight.
UDP Flood this thing, in the DDoS attack family is definitely a "dirty work professionals. It is not like SYN Flood, but also a little "technical content", purely by brute force. Attackers utilize the connectionless nature of the UDP protocol to spoof a large number of source IPs to send garbage packets to the target server. The server tries to process these invalid requests, and resources are quickly drained, so normal user requests can't come in. What's even more disgusting is that reflection amplification attacks are now popular, such as NTP, DNS, Memcached reflection, the attacker can pry hundreds of gigabytes of traffic with a small water pipe, which is very cost-effective.
Why do traditional firewalls often pull their crotches in the face of such attacks? I've found that the hardware firewalls that many organizations rely on crash almost instantly when dealing with UDP floods over 1Gbps. Their design focuses on stateful detection, but UDP itself is stateless, so the firewall has to consume a lot of CPU and memory to try to establish a "pseudo-session", and ultimately get dragged to death first. That's why people are relying more and more on high-defense CDNs to carry the load - directing traffic to globally distributed cleansing centers, away from their own source sites.
High-defense CDN defense UDP Flood, the core depends on two tricks: traffic cleaning and port filtering. But these two words sound simple, behind the water is very deep. The realization level of different vendors, that is really different.
Let's start with traffic cleansing. This is not simply 'come as many as you can and throw away as many as you can'. A high-quality cleaning center has a huge traffic baseline learning capability right at the entrance. Through real-time analysis, it can accurately determine within 3-5 seconds what is normal business traffic (e.g., game voice, video conferencing) and what is malicious flooding. For example, CDN5's global cleansing network, I have personally seen them in a more than 300Gbps NTP reflection attack, can be completed within 10 seconds of traction and cleaning, and the final traffic to the source station is almost zero.
Their cleaning strategy is layered. The first layer is coarse screening: directly based on the BGP protocol to dynamically pull the suspected attack traffic to the distributed cleaning center. The second layer is protocol analysis: in-depth analysis of UDP packet content. For example, a DNS query packet, the normal packet length and content have a specific pattern, while the attack packet is often garbled or filled with oversized payloads. the third layer is Rate Limiting: dynamic threshold control of the number of UDP packets per unit of time for a specific source IP or target port. With this combination, most of the noisy traffic is filtered out.
Another company worth mentioning is CDN07, whose specialty is "intelligent learning model". Instead of simply setting static thresholds, it continuously learns each customer's business traffic model through a machine learning model. For example, if your business is IoT devices reporting data, it is usually small packets, low frequency, and long connections. Once there is high-frequency, large-packet UDP traffic, the model will immediately mark it as an anomaly, which is much more sensitive than manually setting up rules. After one of my own customers migrated to CDN07, the false positive rate dropped to almost zero.
Traffic cleaning is not enough, port filtering is another key line of defense. Its concept is extremely simple: only release the ports that are necessary for business, and strangle all others. But in reality, many operations and maintenance because of the fear of trouble, directly in the high defense CDN UDP port range set to 0:65535 (all open), which is equivalent to the door is completely open, cleaning pressure is huge.
The right thing to do is extreme port convergence. For example, if your business is just DNS services, then only open UDP port 53. If it's video conferencing, it might only open a few port ranges for RTP/RTCP protocols. A high-defense CDN should provide flexible port filtering rule configuration, support bulk port segments and individual ports, and be able to set different cleaning policies for different ports.
Here's an example of a configuration I commonly use, based on CDN5's API (simulation):
Don't believe those vendors who tell you that "it's okay to open all ports, we have good cleaning ability". These days, even CDNs have to "prevent teammates", and proactively reducing the attack surface is the way to go. I once helped a customer to do optimization, just from the full range of open UDP ports narrowed down to the business really need 3 ports, the next month's attack on the bandwidth cost dropped by 60%.
As for the emerging 08Host, their strategy is a bit different. The main focus is on "port stealth" technology. For UDP ports that are not open for business, they directly do not respond at the cleaning center level, instead of receiving and then discarding them. This way, attackers can't even detect the accessibility of the port, let alone launch an effective attack. This is particularly effective in reducing background traffic noise.
Of course, no single technique is a silver bullet. In practice, it has to be a multi-layer policy linkage. My own defense system is usually: port filtering (layer 1) + protocol compliance checking (layer 2) + rate limiting and dynamic fingerprinting (layer 3) + global Anycast traffic dilution (layer 4). With this layer of filtering, what comes to the source is already clear and normal traffic.
Finally, I can't help but spit out a sentence: many enterprises always wait until they are paralyzed before they think of buying high defense. In fact, usually should do a good job of basic work, such as strict restrictions on UDP ports, choose the strength of the large cleaning vendors (don't be greedy for cheap), and regularly do attack and defense drills.UDP Flood will not go away, it will only become more and more ferocious. But as long as you understand its mechanism and use the cleaning and filtering capabilities of CDN, you can make yourself from "passive to fight" to "active defense".
Security is essentially a cost game. Attackers don't have unlimited resources. When you pull the attack cost high enough, they will naturally go to find a softer persimmon to pinch. And have a properly configured high-defense CDN, is one of the hardest cards in your game.
