NTRIP UDP Amplification Vector

Certain NTRIP casters, such as BKG Caster 2.0.39 and earlier, will send large responses to unauthenticated requests over UDP.

This can be used as a vector for amplified DDoS attacks. It is recommended you configure your server in such a way that only authenticated streams are provided using the UDP protocol, while rejecting SOURCETABLE requests.

You can test your server by sending a UDP packet to it with the following payload: '0x80, 0x61, 0x04, 0xd2, 0x00, 0xbc, 0x61, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x0d, 0x0a'. If you get a large response your configuration is vulnerable.

Please note that this example request is not entirely valid, as information such as the server hostname is not filled in. However, we have not seen any server that cares about this. If this is a problem for you, please refer to the NTRIPv2 standard on how to encode the payload.

We provide a small online tester which does generate a complete request below: