A web server is suffering from UDP flooding attacks. Which of the following is least likely to happen?
A. The source IP address of the ingress packets is spoofed.
B. The web server sends ICMP to inform the attacker the destination was unreachable.
C. The destination UDP port of the attack traffic doesn’t exist.
D. The firewall that protects the web server is free from UDP flooding attacks.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The firewall that protects the web server is free from UDP flooding attacks.
If the UDP flood has a volume high enough to saturate the state table of the targeted server’s firewall, any mitigation that occurs at the server level will be insufficient as the bottleneck will occur upstream from the targeted device.
Attacking unexisting UDP ports consumes more
resources of the victim because it wastes the victim’s CPU utilization to determine ports and consumes more bandwidth for responses.
If the specified destination UDP port doesn’t exist on the server, it may notify the source by replying with ICMP messages. It’s also common for the UDP flooding attackers to spoof the source IP address to avoid the traffic of the victim’s ICMP replies.
- Flooding and Amplification
- UDP flood attack (Wikipedia)
- What is a UDP flood attack?
- CA-1996-01: UDP Port Denial-of-Service Attack
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.