6
votes

I've read that several browser plugin's support UDP sockets (eg Java, Unity), however the most popular plugin, Flash, doesn't support UDP sockets!? And neither does my favorite, Silverlight.

Now, I know that Silverlight 4.0 Beta has Multicast UDP sockets, but these are useless on the public internet, which is where I want to use the stuff I build for an in-browser application. And I know that Flash 10 has RTMFP, but still this doesn't work as a UDP unicast socket.

So, I've heard some theories that UDP is a security risk, but I don't really understand how it's more of a risk that TCP, or how a policy server doesn't relieve the risk. Please someone explain to me what's going on here. Thank you.

1

1 Answers

5
votes

The dangerous part of UDP is that, unlike TCP/IP, it doesn't do any handshaking. Effectively this means that an attack app could be built that floods a local network with UDP packets. I think it would be hard to construct a policy that could tell the difference between an attack app and a legitimate voice / video stream. Imagine this attack sourced inside the network: http://en.wikipedia.org/wiki/UDP_flood_attack. Even if you used the outbound IP address as a filter, the external server would have no trouble just ignoring the flood since there is no policy to enforce listening. The external server doesn't have to send anything at all back, only nice boxes will send back ICMP errors.

I also imagine there could be some pretty creative ways to overwhelm a firewall that supports UDP traversal.

A proxy style server can be used to convert UDP to TCP for security reasons. It's only cost effective for enterprise apps though.