Preventing UDP Flooding Amplification Attacks with Weak Authentication

摘要

An attacker wishing to flood a network with excess amounts of network traffic may send UDP packets with a spoofed IP source address corresponding to the target network. In many cases servers then amplify the attack by replying to the target network with more data than was sent by the attacker. This kind of attack has been successful in the past using both DNS and NTP servers. The AllNet protocol has been designed to deliver data over UDP as well as other media. Once an AllNet peer receives a suitable UDP packet, it records the sender's IP address and begins to forward AllNet data to that address. This is a legitimate form of traffic amplification, with one packet being used to request that a limited number of other packets (currently 100) be sent to this IP address. To keep attackers from using AllNet peers for flooding amplification attacks, AllNet peers require potential contacts to return a bitstring that was sent to that specific IP address. In this way, legitimate contacts can receive and return the bitstring and start receiving their data. In contrast, attackers who spoof their IP address and do not receive the bitstring, are unable to direct amplified traffic to other networks. This very weak form of authentication, conceptually related to TCP SYN cookies, only verifies that the packet comes from a system that is able to receive packets sent to that specific IP address. Such weak authentication is sufficient to prevent flooding amplification attacks.