DrDoS
Distributed Reflection Denial of Service (DrDoS), also known as UDP-based amplification attacks, uses publically accessible UDP servers and bandwidth amplification factors to overwhelm a system with UDP traffic.
Open the
DrDoS.pcap
file. In this packet capture, a SYN packet is sent over a server IP address with the victim's source IP address; note the destination port is HTTP 80
and the source port is NTP port 123
, UDP. Now the server will respond with an ACK packet to the source that in this case will be the victim's IP address. If multiple servers were used, the server will flood the victim (target) with ACK packets.
There are UDP protocols (DNS, NTP, and BitTorrent) that are infected by UDP-Based amplification attacks. For more information on this, refer to alert TA14-017A published by US-CERT: https://www.us-cert.gov/ncas/alerts/TA14-017A.