Detecting UDP-based Amplification Attacks

This section describes how to detect UDP amplification attacks on your sever.

Log in to the server as user root.

In this example, the server sends ten 800-byte UDP packets per second when it is running properly.
Run the following command to check the current network connections and processes:
netstat -anpt

You are advised to run the netstat -anpt command to check whether the current network connections and processes are normal. If the current connections and processes have been stopped or hidden, you can use the tcpdump packet capture tool to capture packets for analysis.
Run the following command to capture packets and analyze UDP traffic attacks:
tcpdump -nn udp

Figure 1 shows an example of the captured packets.

Figure 1 UDP attack packets
1. Run the following command to temporarily save the captured packet information to the udp.pcap file in the /home folder:
  nohup tcpdump -nn udp -c 1000000 -w /home/udp.pcap &
2. Run the following command to analyze the captured packet information. Figure 2 shows the analysis result.
  tcpdump -nn -r /home/udp.pcap|awk -F'.' '{print $1}'|sort|uniq -c
  Figure 2 Captured packet analysis result

According to step 3, the checked device is sending dozens of 1460-byte UDP data packets to another IP address, which is far greater than the normal traffic. This indicates that the device is likely being used as an amplifier for UDP reflection attacks.

According to step b, the number of UDP connections per second is more than 50,000, indicating that the services provided by the device are used by attackers to launch UDP amplification attacks. So, necessary protection measures must be taken to prevent server resources from being exhausted by attack traffic.

Parent topic: UDP-based Amplification Attack Check

Previous topic: Overview

Next topic: Solution and Prevention Measures