Distributed denial-of-service (DDoS) attacks have become one of the most serious security threats to the Internet by resulting in massive service disruptions. Most DDoS attacks use either the transmission control protocol (TCP) or the user datagram protocol (UDP) as flooding methods. UDP does not provide the reliability and ordering guarantees that TCP does. Techniques exists to mitigate TCP attacks using hand-shaking characteristics of TCP applications. However, in UDP applications, datagrams may arrive out of order or go missing without notice. Without the overhead of checking if every packet actually arrived, UDP is faster and more efficient for many lightweight or time-sensitive purposes. UDP attacks are thus elusive and reliable detection metrics, which can be implemented with current technology constraints, are rarely mentioned in the research community.
UDP attacks are mainly bandwidth consumption attacks and as this traffic type generally utilizes small amounts of bandwidth, sudden changes in the transferred UDP bytes/sec are generally referred to as indications of attacks. Traditionally, the ratio of incoming/outgoing traffic, the total traffic volume and distribution patterns are common detection metrics. The intuition behind these metrics is that although there isn't a clear symmetry in the UDP traffics as in the case of TCP, there is still a fairly stable site dependent behavior depending on the presence of DNS, NFS and streaming servers etc. However, these metrics generate many false alarms in practice. To help lower the false alarm rate of UDP attack detections, ICMP streams are sometimes considered because most of the times during a UDP attack a reverse ICMP stream is generated. However, the ICMP data might be unavailable if the attacked server is not responding to the attack packets. This can be due to the fact that an attacker attacks a target IP address that is not assigned to any host; the attacked host is down; the Internet access link of the attack target is unavailable; or the attack traffic is filtered.
On the other hand, a network administrator, knowing by experience the network's behavior, can define a clear policy in terms of upper and lower thresholds of what constitutes normal behavior or not with the statistic reports. These thresholds cannot be very tight to avoid a high rate of false positives in practice. Based on the total traffic volume and distribution patterns, a visible ramp-up could be expected during an attack. Unfortunately, this is not always the case, especially in high bandwidth links where the volume of the aggregated attack stream is still a small percent of the total. Moreover, in the case of unidirectional UDP traffics, such as in audio/video broadcasting applications, the ratio metric completely fails to detect UDP flood attacks, and there is not any efficient and effective solution for this particular situation.