Detecting UDP DoS attack

Question

i am trying to write a program that detects a UDP DoS attack using C++ and WinPcap. What criteria can i use to identify such an attack? I have noticed many UDP DoS generator programs send the same payload over and over again so i can probably detect that but generating random payload is exceedingly simple. Any ideas on what to do?

Why not detect for quantity and rapidity? If you get more than _N_ amount of requests in less than _T_ amount of time then block the connection for a given/unlimited amount of time? — TheZ, Aug 15 '12 at 19:29

score 0 · Accepted Answer · answered Aug 15 '12 at 20:36

0

I'm assuming that the UDP packets will have spoofed IP addresses. If you're not going to whitelist the requests so that you can test them for validity, then you may as well come up with a threshold above which you've decided it's "probably" a DoS attack.

answered Aug 15 '12 at 20:36

Marcus Adams

53,009
9
91
143

Which value should i consider for threshold – yohannist Aug 15 '12 at 21:01
@user1470033, the threshold is something you'll decide and tweak as you go. – Marcus Adams Aug 16 '12 at 12:11

Detecting UDP DoS attack

1 Answers1