Because UDP lacks a handshake or state tracking, it is the protocol of choice for high-volume volumetric attacks and stealthy reconnaissance. Firewalls struggle to track UDP sessions, making it a persistent blind spot.
Attackers spoof the victim's IP and send requests to public UDP services (DNS, NTP, Memcached). The service replies to the victim with a payload much larger than the request, amplifying the attack traffic exponentially.
💡 Pro-tip: Memcached amplification attacks can yield a 50,000x multiplier. Always ensure internal UDP services are never exposed to the public internet.
UDP scanning is notoriously slow and unreliable because closed ports may not reply, forcing Nmap to wait for ICMP timeouts to determine state.
Attackers fragment UDP packets to bypass shallow packet inspection firewalls. Since UDP has no sequence numbers, reassembly happens at the OS level, potentially triggering buffer overflow vulnerabilities.
⚠️ Rate-limiting ICMP 'Destination Unreachable' messages on your routers is critical. Attackers use these responses to map your internal UDP topology during stealth scans.
| Protocol | Port | Amplification Factor |
|---|---|---|
| DNS | 53 | ~50x |
| NTP | 123 | ~500x |
| Memcached | 11211 | ~50,000x |
Verify exercises to earn ★ 130 XP and unlock next lab level.