Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Certain application-layer protocols that rely on User Datagram Protocol (UDP) have been identified as potential attack vectors:
DNS
NTP
SNMPv2
NetBIOS
SSDP
CharGEN
QOTD
BitTorrent
Kad
Quake Network Protocol
Steam Protocol
RIPv1
Multicast DNS (mDNS)
Portmap/RPC
Overview
A Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.
Description
UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation in VOIP (voice over IP), it is very easy to forge the IP packet datagram to include an arbitrary source IP address [1]. When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected Denial of Service (DoS) Attack.
Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request. Previously, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale using multiple amplifiers and targeting a single victim, DDoS attacks can be conducted with relative ease.
To measure the potential effect of an amplification attack, a metric called the bandwidth amplification factor (BAF) is used. BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [2 (link is external)] [3 (link is external)].
The list of known protocols—and their associated bandwidth amplification factors—are listed below. US-CERT offers thanks to Christian Rossow for providing this information. For more information on bandwidth amplification factors, please see Christian's blog (link is external) and associated research paper (link is external).
Your article is very useful, the content is great, I have read a lot of articles, but for your article, it left me a deep impression, thank you for sharing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.