UDP Flood Explained
Last updated: March 2025
What is UDP?
User Datagram Protocol (UDP) is a connectionless transport layer protocol. Unlike TCP, UDP does not establish a connection before sending data—it simply sends packets. This makes UDP fast but also easy to abuse. UDP is used for DNS, VoIP, gaming, and streaming where speed matters more than reliability.
What is a UDP Flood?
A UDP flood attack sends a massive volume of UDP packets to a target. The target's system must process each packet: check if a service is listening on the destination port, and respond with an ICMP "port unreachable" message if not. When flooded with millions of packets per second, the target exhausts bandwidth and CPU resources, becoming unavailable to legitimate users.
Why UDP Floods Are Effective
UDP requires no handshake—attackers can send packets without any prior connection. Spoofing source IPs makes it harder to block. The target cannot easily distinguish between legitimate and malicious UDP traffic. UDP floods are often amplified using reflection attacks (e.g., DNS amplification) where small requests generate large responses.
Common Targets
- Game servers (Minecraft, FiveM, etc.) that rely on UDP
- DNS servers
- VoIP infrastructure
- Any service with UDP listeners
How to Protect Against UDP Floods
Rate limit UDP traffic at the network edge. Use upstream DDoS mitigation that can filter traffic before it reaches your servers. Consider disabling UDP on ports that don't need it. Deploy sufficient bandwidth to absorb attacks—though this has limits against large volumetric attacks.
Testing UDP Resilience
If you operate UDP-based services, stress test them to understand your capacity limits. Authorized testing helps identify weak firewall rules and bandwidth constraints. Always test only systems you own or have permission to test.