"It depends on the network." is really the only answer. It's the kind of thing that happens quietly and often can be transient in nature (e.g. temporary "big stick" filters to deal with an active attack). As far as the reason it happens to UDP: UDP is a challenge because it's easy to leverage for reflection attacks where the source IP is spoofed to be the target. The major targets are small services that are typically left open on host systems. The big ones being NTP, DNS, and more recently SSDP (universal plug and play left open on consumer routers). Once in a while you see some really old protocols open like CHARGEN, but these are less common. The ones like NTP and DNS are popular because a small request can trigger a large response (e.g. amplification attack) if services are not appropriately locked down on the host. A while back a big one a lot of people were caught off guard by was the NTP MONLIST function which resulted in up to a 500:1 amplification. Hopefully rate limiting UDP traffic is something that doesn't happen often, and when people do rate-limit it they ideally limit the scope to known problem protocols (like NTP and DNS) and base limits such that normal use shouldn't be a problem. That said I'm sure there are some who just rate-limit everything (likely arguing that UDP is "mostly peer-to-peer anyway"). It's a bad practice no doubt. TCP is still vulnerable to some level of reflection, but these are generally easy to mitigate, and because the setup and teardown for TCP is so small, not very effective for denial of service. There isn't much that happens traffic-wise until the source address has confirmed a connection which is what avoids spoofing being as big of a problem with TCP as it is for UDP. Similarly ICMP is generally not a problem because ICMP responses are small by design. On Mon, Jul 27, 2015 at 10:12 AM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
Is it true that UDP is often subjected to stiffer rate limits than TCP? Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream?
Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol?
Glen
-- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net