UDP reflection attacks exploit publicly accessible UDP services to amplify malicious traffic toward a target. Attackers send spoofed requests to vulnerable services, which then respond with significantly larger payloads directed at the victim. Anti-DDoS Proxy mitigates these attacks by blocking traffic on commonly exploited UDP ports.
After you configure a UDP port forwarding rule, Anti-DDoS Proxy blocks a predefined set of ports that are commonly targeted for UDP reflection attacks. If the default settings disrupt your operations or you want to customize the list of blocked ports, you can manually adjust the configuration. This topic describes how to configure the ports to block.
Prerequisites
An Anti-DDoS Proxy instance of the Enhanced function plan is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
A UDP port forwarding rule is created on the Port Config page. For more information, see Configure port forwarding rules.
Usage notes
The UDP reflection attack mitigation feature is available only for Anti-DDoS Proxy instances with the Enhanced function plan.
If no UDP port forwarding rules are added on the Port Config page, or if only TCP port forwarding rules are present, Anti-DDoS Proxy discards all UDP traffic by default. In this case, you do not need to configure this feature. You only need to configure it after you create a UDP port forwarding rule.
When the UDP reflection attack mitigation feature is applied to an Anti-DDoS Proxy instance, the filtering policies take effect on all UDP port forwarding rules configured for the instance.
Once configured, the policy remains in effect indefinitely.
Default blocked ports
By default, Anti-DDoS Proxy blocks all ports listed in the One-click Filtering Policies. The following table lists the default blocked ports and the protocols commonly associated with UDP reflection attacks on those ports.
| Port | Protocol | Description |
|---|---|---|
| 17 | QOTD | Quote of the Day |
| 19 | CharGen | Character Generator |
| 69 | TFTP | Trivial File Transfer Protocol |
| 111 | RPC | Remote Procedure Call |
| 123 | NTP | Network Time Protocol |
| 137 | NetBIOS | NetBIOS Name Service |
| 161 | SNMP | Simple Network Management Protocol |
| 389 | LDAP/CLDAP | Lightweight Directory Access Protocol |
| 1194 | OpenVPN | OpenVPN |
| 1900 | SSDP | Simple Service Discovery Protocol |
| 3389 | RDP | Remote Desktop Protocol |
| 3702 | WS-Discovery | Web Services Dynamic Discovery |
| 11211 | Memcached | Memcached |
Procedure
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Infrastructure tab, select the instance that you want to manage from the list on the left. You can locate an instance by searching for its ID or description.
Navigate to the UDP Reflection Attack Mitigation section and click Settings.
In the Configure Filtering Policies for UDP Reflection Attacks panel, define the filtering policy by specifying the ports over which UDP reflection attacks may be launched, and click OK. You can use this option to configure filtering policies only for ports that are not in the One-click Filtering Policies list.
One-click Filtering Policies: This list includes common UDP reflection attack types and the ports over which the attacks are launched. Anti-DDoS Proxy blocks all ports in this list by default.
Custom Filtering Policy: Enter the ports over which you want Anti-DDoS Proxy to discard UDP traffic. The ports must be within the range of 0 to 65535. You can specify up to 20 ports. Separate multiple ports with commas (,).
Best practices
Check for port conflicts before adding UDP port forwarding rules. Before you create a UDP port forwarding rule on the Port Config page, check whether the ports you plan to forward overlap with the default blocked ports in the One-click Filtering Policies list. If they overlap, deselect those ports in the One-click Filtering Policies after you create the forwarding rule to ensure that legitimate traffic is not blocked.
Use custom filtering policies for non-standard threat ports. If your security monitoring identifies UDP reflection attack traffic on ports outside the default list, add those ports through the Custom Filtering Policy to block the traffic.
Assess the impact before changing filtering policies. Because filtering policies take effect on all UDP port forwarding rules configured for the instance, verify that changes to the blocked port list do not inadvertently disrupt legitimate services on other forwarding rules.