In case you missed the US-CERT notice, here is a link:
https://www.us-cert.gov/ncas/alerts/TA14-017A"Overview
A Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic."
"Detect and alert on any non-stateful UDP packets. (A simple snort example is below. You will need to customize this approach to your environment with whitelist and known services.)"
"Simple Snort rule example for stateless UDP check
var HOME_NET [10.10.10.20]
preprocessor stream5_global: track_ip yes, track_tcp yes,track_udp yes,track_icmp no,max_tcp 262144, max_udp 131072
preprocessor stream5_ip: timeout 180
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_udp: timeout 180, ignore_any_rules
alert udp HOME_NET 1024: -> any any (msg:"UDP Session start"; flowbits:set,logged_in; flowbits:noalert; sid: 1001;)
alert udp any any -> HOME_NET 1024: (msg:"UDP Stateless"; flowbits:isnotset,logged_in; sid: 1002)"
Locked
