Unlike TCP, UDP is connectionless. A server receiving a UDP packet on any port must process it — or at least decide to discard it — before knowing whether it's legitimate. Attackers send massive volumes of UDP packets to random ports, forcing the server to reply with ICMP 'destination unreachable' messages or simply collapse under the load.
Common UDP Flood Variants
- Pure UDP flood: random ports, random payload, raw volume.
- DNS flood: targeting UDP/53 specifically to exhaust your resolver.
- CHARGEN / QOTD reflection: using legacy UDP services as amplifiers.
- Fragmented UDP: sending fragments that can crash stateful inspection systems.
Detection and Mitigation
UDP floods are identifiable by their packet-per-second rate and traffic profile. Akarguard's scrubbing layer inspects UDP traffic at line rate, rate-limits packets from sources without a prior session context, and challenges protocols that should be using TCP (such as application-layer UDP masquerading).
Key metric
A 10Gbps UDP flood contains roughly 7–14 million packets per second. Without hardware-level mitigation, a standard Linux server will drop connections well below this threshold.
Protecting UDP-Based Applications
If you run a UDP-based application — game servers, VoIP, DNS — you need protocol-aware scrubbing. Akarguard supports UDP proxy mode with challenge-response authentication so legitimate traffic is never blocked alongside the attack.