UDP Garbage Flood

A UDP Garbage flood tries to saturate bandwidth in order to bring about a DoS state to the network.

This DDoS attack is normally done by sending a rapid succession of UDP datagrams with spoofed IPs to a server within the network via various different ports, forcing the server to respond with ICMP traffic. The saturation of bandwidth happens both on the ingress and the egress direction. This flood has a lot of garbage in the data section of the datagram.

Technical Analysis

Below is an analysis of a UDP Garbage flood running from a single SRC attacking IP at a high rate to a single destination target IP.

In Image 1 below you can see the multiple Fragmented packets being sent to victim server. You can see the “More Fragments” flag is set. Also, note that the size of the packet (1474) is equal to the Maximum Transmission Unit (MTU).

“Image 1 – Example of single UDP Garbage Flood packet being sent to port 80”

As seen in Image 2, the last packet in the sequence is only 722 bytes long. WireShark recognizes the last packet in the sequence and reassembles the packets for you. You can see that the total length of the data is 5000 bytes.

“Image 2 – Last Packet in the Sequence”

In Image 3 below you can see the UDP packets are being sent to port 80 of the destination target IP. This is highly unusual and in most cases UDP does not need to send to port 80 legitimately, These are the first signs of a UDP garbage flood attack.

“Image 3 – Example of single UDP Garbage Flood packet being sent to port 80”

The rate in Image 4 of around 100 PPS (Packets Per Second) with an average packet size of 1286 bytes. The large packet size is a strong indication that an attack is taking place.

“Image 4 – UDP Garbage Flood rate from single SRC IP to Single Target DST IP”

UDP garbage Flood is a high volume flood due to the size of packets that can be generated per attacking machine. However identification of this type of flood is usually easier because of how easily this attack vector stands out in normal network communications.

Analysis of an UDP Garbage flood in Wireshark – Filters

Filter out UDP packets going to port 80 – (ip.proto == 17) && (udp.dstport == 80)

Also you can see all UDP fragmented packets using “(ip.flags.mf == 1) && (ip.proto == 17)”

Goto Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of UDP Garbage Flood

*Note: IP’s have been randomized to ensure privacy.