Network Security
UDP (User Datagram Protocol)
UDP is the User Datagram Protocol, a lightweight transport protocol that sends data as independent datagrams without establishing a connection, acknowledging delivery, or guaranteeing order, trading reliability for low overhead and speed.
In plain terms
UDP is the fast, no-frills way to send data over a network. Unlike TCP, it does not set up a connection or check that anything arrived. It just fires packets and moves on, which is perfect for things like live video or games where speed matters more than catching every lost packet.
UDP, the User Datagram Protocol, is a transport-layer protocol that offers a minimal, connectionless way to send data between applications. Where TCP provides reliability through connections, acknowledgements, and retransmission, UDP deliberately omits all of that. It sends each message as an independent datagram, does not establish a session beforehand, does not confirm that datagrams arrive, and does not guarantee that they arrive in order or only once. In exchange for giving up these guarantees, UDP has very low overhead and latency, which makes it the right choice for applications that value speed and simplicity over assured delivery.
The protocol’s design is intentionally bare. A UDP datagram has a small header containing source and destination ports, a length, and a checksum, and then the data. There is no handshake to begin communication and no teardown to end it; an application simply sends datagrams to a destination address and port, and the receiver processes whatever arrives. If a datagram is lost, duplicated, or reordered by the network, UDP itself does nothing about it. Any application that needs reliability on top of UDP must implement it within the application itself, which some protocols do selectively to get reliability where they need it without TCP’s full cost.
UDP suits particular classes of traffic. Real-time applications such as voice and video calling, live streaming, and online gaming often prefer UDP because a packet that arrives late is useless anyway, and waiting for retransmission would cause stalls worse than a brief glitch. DNS queries traditionally use UDP because a lookup is a single small request and response where the overhead of establishing a TCP connection would be disproportionate. Other examples include network management protocols and time synchronization. In each case, the application either tolerates loss or handles it more efficiently than a general-purpose reliability layer would.
Like TCP, UDP uses ports to direct datagrams to the correct application, and a service is identified by its IP address and port. However, because UDP is connectionless, there is no established session for a firewall or monitoring system to track in the same way as TCP. This statelessness has security implications: it can make filtering decisions less straightforward and gives attackers a tool that is easy to spoof, since there is no handshake that would require completing a round trip from a real source address.
The security relevance of UDP centers heavily on spoofing and amplification. Because a sender does not have to establish a connection, it is easy to forge the source address of a UDP datagram. Attackers exploit this in reflection and amplification denial-of-service attacks: they send small UDP requests with a spoofed source address to servers that reply with much larger responses, causing those servers to flood the victim whose address was forged. Protocols that return large responses to small queries have been abused this way, making certain UDP services attractive amplifiers if left open to the internet. UDP floods, which simply send large volumes of datagrams to overwhelm a target, are another common denial-of-service technique.
Defending UDP traffic therefore emphasizes controlling exposure and validating sources. Services that do not need to be reachable from the internet should not be, and those that must be exposed should be configured to limit their potential as amplifiers. Rate limiting, source validation where possible, and dropping unsolicited UDP at network boundaries all reduce abuse. Because UDP carries no inherent encryption or authentication, protocols that need confidentiality and integrity layer them on top, as DNS does with DNS over TLS or DNS over HTTPS and as modern transport designs do by building secure, reliable communication over UDP rather than TCP.
In practice, UDP is the lean counterpart to TCP, chosen when low latency and minimal overhead matter more than guaranteed delivery. It powers real-time media, DNS, and other latency-sensitive or lightweight exchanges, while leaving reliability and security to the application or to protocols built above it. Its connectionless, easily spoofed nature makes it both efficient and a favored tool for amplification attacks, so understanding UDP means appreciating both why it is fast and why exposed UDP services need careful control.