Now let's talk about our second TCP IP model transport layer protocol, UDP. And our first attack vector for that is going to be UDP flood. As you know, UDP has no flex. I mean it's not a sophisticated protocol is TCP. Therefore the attack vectors in this protocol are limited. I mean the variety of the attack vectors.

However, it doesn't mean that they are ineffective. In fact, UDP attacks can be as much effective as any kind of TCP attacks. And we are going to see the reasoning behind that in a moment. So what is the UDP float? But I'll start off with a basic definition. UDP flood attack can be initiated by sending a large number of UDP packets to random ports on my remote host.

Actually, this random is not necessarily random. The attacker can choose some specific ports, like most common ones being 80, or 443, or 53. Basically, these are the ports for HTTP, HTTPS and DNS. So the attacker can specify targets, for example, your web traffic on 80 and 443. So not necessarily random as a result. This part is actually what we want to focus on in this lecture.

The distant host, meaning your host, will check for the application listening at that port. So for example, if the attack is performed on port 80, the host will check if an application is listening on that port. For example, a web application like Apache and in case of web traffic, for example, Port 80 expects TCP traffic. It doesn't expect and UDP traffic So, it will see that no application listens at that port for UDP. And this part is interesting and this part is basically what is making UDP flood attack effective. The host will try to reply with an ICMP destination unreachable packets for every single UDP packet that the attacker will send.

So, again your destination will try to answer with an ICMP destination unreachable, meaning that you know it will try to inform the client in our case the attacker that this port is not reachable via UDP. However, the attacker will exploit it by sending out UDP packets over and over again. So that the host your host will try to answer for each packet and in the end, the resources will not be enough and the services will go down How to detect this. First basically, we need to filter for specific destination ports, I mean the port that you suspect that attacker is attacking to, it could be 80 or 443. In most cases, or if you're running DNS again, it could be 53. And then you can also filter for ICMP responses that are sent.

This is also an important thing to check. And when it comes to volumetric attacks, we need to check also the volume spikes in the incoming traffic. Because this is also an indication of whether a volumetric attack is ongoing or not. And we have a simple power UDP plot might look like in our case, as we can see here, the destination port is 80. And there's one single destination IP One source. In this case a DoS attack is trying to take down the web servers of the destination by constantly sending the same UDP packets.

Now, how to mitigate it? Actually, most of the operating systems mitigate the attack by limiting the rate at which ICMP responses are sent. In other words, operating systems today are clever enough to limit the responses. Therefore limit exploitation of the resources for high volumetric ones. I mean, if you are hit by a really big attack, one of the first things to do is basically narrow down the top talkers, again by top talkers, meaning the IPS, the sources that are generating the most traffic towards your destinations. And if it is possible, trying to block these top talkers, if you cannot cope in either way, you might have to go with a CDN.

The rate controller solution. We are going to talk about advantages and disadvantages of rate controls with CDs towards the end of this course. But just for the heads up for such volumetric attacks if you cannot cope by yourself, a third party defense solution could be necessary.