DEV Community

Discussion on: TCP and UDP did you ever use them directly?

Collapse
 
bias profile image
Tobias Nickel

Yes, I am very interested actually in defending from attacks, and the best is to know and understand how attackers can work.

With Udp you mostly can only go for some network services right? the webserver is tcp so just drop the messages.

I was wondering if I could not send a response to an attacker with my node.js web server (not even the tcp termination). But it would also keep the connection open on my side as well. When closing in any way, the attacker get an 'end' package.

Collapse
 
ecyrbe profile image
ecyrbe

You do not do this at application level, so not with nodeJs.
DDOS detection/protection can be implemented at Kernel level with IPTables : javapipe.com/blog/iptables-ddos-pr...

Thread Thread
 
slavius profile image
Slavius • Edited

UDP can get very nasty when it comes to DDoS. You can use so called amplification attack to DDoS servers/infrastructure. The fact that UDP is stateless means, compared to TCP, that no prior connection establishment is needed to force the remote end to processes received UDP data packets. In a firewall you can define rules that all TCP packets that did not follow an already established connection (called in TCP a 3-way handshake) can be dropped immediately.
Let's get back to the amplification. By finding a misconfigured DNS server that responds with large data (DNS UDP packet can be up to 4096 bytes large), e. g. sending a full DNS zone response with lots of DNSSec keys you can craft very small UDP DNS request that pretends to come from your victim's public IP address to the misconfigured DNS server which will happily send the response to the victim due to lack of state establishment in UDP. If you'd try this with TCP you'd have to first send SYN packet, and then respond with SYN/ACK (acknowledgement) from remote end, followed by another ACK packet to the server before being able to send/request real data packets. Since you faked the victim IP address a server would send SYN/ACK to the victim resulting in the victim to drop the packet since it never initiated the connection in the first place followed by the server closing the connection soon after due to lack of response to the handshake. This is not the case for UDP though so in one packet with few bytes forming a request you can force misconfigured server to send large response to the victim without any validation - hence the name "amplification".

Collapse
 
dochan profile image
Farhan Yahya

Exactly, it works for some services.