|
In UDP Sessions, we found a large number of UDP sessions on port 80, as shown in the following figure:
These UDP sessions come from the same source host, the destination host IP is fixed, and the interacting packets are one-way. We randomly found a few UDP sessions, and through the UDP session reorganization function, we can find that they send obviously filled fields, as shown in the figure below:
Based on this, it is undoubtedly a DOS attack based on the UDP 80 port. Hackers do this with two main considerations: 1. Using the connectionless feature of UDP, a large number of UDP packets are sent, which consumes the network bandwidth resources of the attack target and causes DOS attack effects. 2. UDP 80 ports are less likely to be filtered; TCP 80 port is the most common HTTP application, basically, most operators and users will release TCP 80 port packets, while other uncommon ports are likely to be filtered by operators, users' security devices, ACLs, and the use of UDP 80 port to carry out this attack, mainly take advantage of the lack of rigor of many network administrators in formulating security protection filtering policies.Many people choose to release port 80 instead of TCP or UDP protocol, so that by default, the device will release TCP 80 port and UDP 80 port. This gives hackers an opportunity.
| 
Posted on 2/2/2016 9:58:34 AM
|
|
|
|
Posted on 10/19/2021 4:11:20 PM