Computer Network 📂 Transport Layer · 2 of 4 45 min read

UDP Explained

Master UDP — the minimalist transport protocol powering DNS, VoIP, gaming, DHCP, NTP, and 30% of web traffic via QUIC. Features an interactive clickable header diagram (all 4 fields with deep explanations), animated DNS query flow showing zero-handshake operation, a live three-flow animation for VoIP/gaming/streaming packet loss handling, checksum mechanics, amplification attacks, and 7 golden rules.

Section 01

UDP — The Minimalist of the Transport Layer

Shouting Across a Busy Market vs Sending a Registered Letter
Imagine two ways to tell someone across a crowded market that lunch is ready. You could shout it — fast, zero effort, no confirmation, and if they did not hear you, you simply shout again. Or you could write a registered letter with a tracked courier, signed delivery confirmation, and a guaranteed arrival time.

The registered letter is TCP. The shout is UDP. Neither is wrong — they serve completely different situations. The registered letter is absurd for "lunch is ready." The shout is absurd for a legal contract.

Every time you ask Alexa a question, play an online game, make a video call, or your browser resolves a domain name — you are using the shout. UDP carries more Internet traffic than most people realise, precisely because its simplicity is its superpower.

UDP (User Datagram Protocol), defined in RFC 768 (1980), is one of the two main transport-layer protocols alongside TCP. Where TCP provides reliable, ordered, flow-controlled delivery through a complex state machine, UDP provides exactly one thing beyond raw IP: port-based demultiplexing so the OS knows which application to hand the packet to. Everything else — reliability, ordering, retransmission, flow control — is left entirely to the application developer.

📌
The Design Philosophy: Radical Simplicity

Jon Postel designed UDP in just 3 pages. The entire specification is shorter than the TCP error-handling section alone. The premise: if the application knows better than the transport layer what guarantees it needs — get out of the way. A live video stream does not need retransmission — a late frame is worse than a missing one. A DNS query does not need a 3-way handshake — it just needs to ask one question and get one answer. UDP lets applications do exactly what they need, nothing more.

📶 UDP Core Properties at a Glance
Connectionless
No handshake, no state, no setup. Send immediately. The first datagram carries real data — not negotiation overhead.
Unreliable
No acknowledgements, no retransmission, no duplicate detection. Packets may be lost, reordered, or duplicated. The application decides how to handle this.
Unordered
Datagrams may arrive in a different order than they were sent. No sequence numbers. Applications that need ordering must implement it themselves (RTP does this for media streams).
Lightweight
8-byte header vs TCP's 20–60 bytes. No connection state per-flow — a server can handle millions of UDP clients without keeping per-connection memory. Critical at DNS scale.
Broadcast / Multicast
UDP supports sending one packet to all machines on a subnet (broadcast) or a subscribed group (multicast). TCP's point-to-point model makes this structurally impossible. DHCP, routing protocols, and mDNS depend on this.
Low Latency
No round-trip for setup, no wait for ACK before sending next datagram, no head-of-line blocking. Latency is bounded only by the network — not by the protocol. Online gaming requires sub-20ms reaction; TCP's retransmission delays are unacceptable.

Section 02

The UDP Header — Just 8 Bytes, Every Bit Matters

The UDP header is the smallest possible header that still makes a transport protocol functional. At exactly 8 bytes (64 bits), it contains only four fields — each 16 bits wide. Compare this to TCP's 20–60 byte header with 11 fields and a complex options mechanism. That 12-byte difference matters enormously at scale: a DNS server handling 10 million queries per second saves 120 MB/s of header overhead compared to TCP.

📋 UDP Header — Interactive Field Diagram (Click to Explore)
👉 Click any field in the diagram above
UDP has only four fields — each 16 bits wide. Together they are exactly 64 bits (8 bytes). Click each coloured field to understand what it does and why it exists.

💡 The entire UDP header is one 32-bit row repeated twice: Row 1 = Source Port + Destination Port. Row 2 = Length + Checksum. This means the header can be parsed in a single 64-bit read on modern hardware — contributing to UDP's speed.

Field Reference Table

FieldSizeOffsetOptional?Purpose
Source Port16 bitsByte 0 Optional (can be 0) Identifies the sending application. Set to 0 if the sender needs no reply.
Destination Port16 bitsByte 2 Required Routes the datagram to the correct socket on the receiver. The demultiplexing key.
Length16 bitsByte 4 Required Total datagram size in bytes (header + data). Min = 8. Max = 65535.
Checksum16 bitsByte 6 Optional IPv4, mandatory IPv6 One's complement error detection. Covers header + data + IP pseudo-header.

Section 03

UDP vs TCP — When to Use Each

📤 UDP — Choose When
ScenarioWhy UDP Wins
Live video / VoIPLate retransmit is worse than a missing frame
DNS queriesOne request, one reply — handshake is wasteful
Online gamingSub-20ms latency — TCP retransmit kills it
DHCP / BOOTPMust broadcast — TCP cannot broadcast
IoT telemetryFire-and-forget sensor readings, no ACK needed
QUIC / HTTP/3Builds own reliability in user space over UDP
📥 TCP — Choose When
ScenarioWhy TCP Wins
Web browsing (HTTP/1,2)Every byte of HTML/CSS/JS must arrive
File transfer (FTP/SFTP)A missing byte corrupts the file
Email (SMTP/IMAP)Messages must arrive complete and in order
Database queriesPartial result is worse than no result
SSH / remote shellEvery keystroke must arrive in exact order
API calls (REST/gRPC)Request/response integrity is non-negotiable
FeatureUDPTCP
Header size8 bytes (fixed)20–60 bytes
Connection setupNone (0 RTT)3-way handshake (1.5 RTT)
ReliabilityNone (app handles it)Guaranteed delivery
OrderingNo guaranteeIn-order delivery
Flow controlNoneReceiver window (rwnd)
Congestion controlNone (can flood network)Slow Start / CUBIC / BBR
Broadcast / MulticastSupportedNot supported
State per connectionNone (stateless)~1–4 KB per socket
LatencyNetwork RTT onlyRTT + ACK + possible retransmit
Head-of-line blockingNoneYes (a lost packet blocks all that follow)

Section 04

🏭 Animated: How a UDP Datagram Travels — DNS Example

DNS is the most ubiquitous user of UDP. Every time you type a URL, your device sends a UDP datagram to port 53 of a DNS resolver, and (usually within 1–50ms) receives a UDP datagram back with the answer. No handshake, no state — just one question and one answer. Let's watch it happen.

▶ UDP Datagram Flow — DNS Query (No Handshake, No ACK)
Ready

💡 Notice there is no connection phase. The very first UDP datagram carries the DNS query. Compare this to TCP: HTTPS requires a TCP handshake (1 RTT) + TLS handshake (1–2 RTTs) before the first byte of data is sent — total 2–3 RTTs of setup before your browser even starts downloading.


Section 05

🏭 Animated: UDP Use Cases — VoIP, Gaming, Streaming

Different applications tolerate packet loss in fundamentally different ways. The animation below shows three simultaneous UDP flows — VoIP, online gaming, and live video — and what each does when a packet is lost.

▶ Three UDP Flows — How Each Handles Packet Loss Differently

💡 All three applications use UDP for the same core reason — they prefer a small gap over a late delivery. A VoIP packet retransmitted 200ms late is not speech any more. A game position update retransmitted 100ms late shows a ghost of where the player was. A video frame retransmitted 40ms late freezes the stream. Loss ≠ failure when timeliness matters more than completeness.


Section 06

UDP in Practice — Applications & Well-Known Ports

📌
DNS — Domain Name System
UDP port 53. Every domain resolution starts as a single UDP datagram. The root DNS servers collectively handle over 1 trillion queries per day — UDP's statelessness is the only reason this is possible at that scale. TCP is used only when the response exceeds 512 bytes (zone transfers, DNSSEC), signalled by setting the TC (truncation) bit in the UDP response.
Port 53 | RFC 1035 | ~1 trillion queries/day globally
🔌
DHCP — Dynamic Host Configuration
UDP ports 67 (server) and 68 (client). DHCP must use UDP because a new device has no IP address yet — it cannot form a TCP connection. It broadcasts a DHCP Discover on 255.255.255.255:67. Without UDP broadcast support, your phone could never automatically get an IP address when joining a Wi-Fi network.
Port 67/68 | RFC 2131 | Requires UDP broadcast
🕑
NTP — Network Time Protocol
UDP port 123. Synchronises clocks across the Internet to within microseconds. NTP sends a single UDP timestamp request and receives a single UDP reply. The round-trip time is used to calculate clock offset. Using TCP would add connection setup latency that corrupts the precision of the measurement itself — a neat catch-22 that makes UDP mandatory.
Port 123 | RFC 5905 | Sub-microsecond accuracy
🎧
VoIP & RTP — Real-Time Media
RTP (Real-time Transport Protocol, RFC 3550) runs over UDP and carries voice, video, and audio streams. VoIP applications (Zoom, Teams, WhatsApp calls) use RTP over UDP with RTCP (control channel) for statistics. A retransmitted voice packet arriving 200ms late is worthless — humans detect audio delays above 150ms. RTP adds sequence numbers and timestamps so receivers can detect gaps and reorder — but never retransmit.
RTP RFC 3550 | Dynamic ports 49152+ | Zoom, Teams, WhatsApp
QUIC — The New Internet Foundation
QUIC (RFC 9000, 2021) runs entirely over UDP port 443 — the same port as HTTPS. This lets it pass through firewalls that only open web ports. QUIC implements its own reliable delivery, TLS 1.3 encryption, and stream multiplexing — all in user space, without requiring OS or kernel updates. Powers HTTP/3, YouTube, Google Search, and Meta's social networks. As of 2024, ~30% of all Internet traffic uses QUIC.
RFC 9000 | UDP:443 | HTTP/3 | ~30% of Internet traffic
🎮
Online Gaming — Custom UDP Protocols
Games like Fortnite, Call of Duty, and Counter-Strike use custom UDP-based protocols. Position updates, player actions, and game state are broadcast every 20–64ms (16–50 ticks per second). Lost packets are handled by dead reckoning — predicting where players moved based on last known velocity. Games implement their own selective reliability: critical events (kills, pickups) may be retransmitted once; position updates never are.
Custom ports | 50ms RTT target | Dead reckoning on loss

Section 07

The UDP Checksum — Optional but Critical

The UDP checksum is the only error-detection mechanism UDP offers. Understanding it reveals an elegant design choice: the checksum borrows information from the IP layer to create a binding between the transport and network headers — preventing a correctly received but misrouted datagram from being silently accepted by the wrong application.

📋
The Pseudo-Header — Why the Checksum Borrows from IP

The UDP checksum is computed over three things: the 8-byte UDP header, the UDP payload, and a 12-byte pseudo-header constructed from the IP layer:

Pseudo-header fields: Source IP (4B) + Destination IP (4B) + Zero byte (1B) + Protocol=17 (1B) + UDP Length (2B)

Why? Because without this binding, an IP routing bug could deliver a UDP datagram to the correct port on the wrong host — and the UDP checksum alone would pass. By including the IP addresses in the checksum, any IP-level misdelivery is immediately detected. The pseudo-header is never transmitted — it is only used for the checksum calculation.

⚙ Checksum Computation — Step by Step
Step 1
Build pseudo-header: Src IP (32b) + Dst IP (32b) + 0x00 (8b) + Protocol 17 (8b) + UDP Length (16b)
Step 2
Concatenate: pseudo-header + UDP header (with checksum field set to 0x0000) + UDP data (pad with 0x00 if odd length)
Step 3
Sum all 16-bit words using one's complement addition (carry bits are added back into the sum — "end-around carry")
Step 4
Take the one's complement (bitwise NOT) of the sum → this is the checksum. Place it in the Checksum field.
Verify
Receiver repeats the same calculation including the transmitted checksum. If the result is 0xFFFF, the datagram is valid. If not, silently discard.
⚠️
Checksum = 0 Means "Disabled" in IPv4 — Not Zero!

In IPv4, a UDP checksum of 0x0000 means the sender did not compute a checksum. This is how a sender signals "I am not using checksums — accept this without verification." If the actual checksum computation happens to produce all-zero bits, the sender transmits 0xFFFF instead (one's complement of zero). This is the only value that means "valid zero checksum." In IPv6, the checksum is mandatory — the value 0x0000 is not legal and must be replaced with 0xFFFF.


Section 08

UDP Security — Amplification Attacks & Source Spoofing

UDP's connectionless, stateless nature is a double-edged sword. The same properties that make it fast for DNS and gaming make it a favoured vector for DDoS attacks. Unlike TCP (which requires a 3-way handshake to verify the source IP), UDP allows an attacker to spoof the source IP address trivially.

💥
UDP Amplification Attack
Attacker sends a small UDP request to a server with the victim's IP as the source address. The server sends a large UDP response to the victim. DNS amplification: a 60-byte ANY query produces a 3000-byte response (50× amplification). NTP amplification (monlist): a 234-byte request produces 46,000 bytes of response (197× amplification). The 2013 Spamhaus attack (300 Gbps) and the 2018 GitHub attack (1.35 Tbps via Memcached — 51,000× amplification) both used UDP. UDP has no mechanism to prevent this — it is a fundamental consequence of statelessness. Source: Cloudflare Blog, Arbor Networks annual DDoS report 2018.
DNS 50× | NTP 197× | Memcached 51,000× amplification
🔐
Defences Against UDP Abuse
BCP38 / Source Address Validation: ISPs should drop packets with spoofed source IPs at their network edge — preventing the attack at its source. Widely recommended since 2000 (RFC 2827) but not universally deployed.

Response Rate Limiting (RRL): DNS servers limit the rate of responses to a single source IP.

QUIC's Address Validation: QUIC requires servers to validate the client address before sending large responses — eliminating amplification even over UDP.

Anycast + Scrubbing Centres: Cloudflare, Akamai, and others absorb UDP floods by distributing the attack across hundreds of PoPs globally.
BCP38 | RRL | QUIC validation | Anycast scrubbing
🔥
2018 — GitHub 1.35 Tbps Memcached Attack
On 28 February 2018, GitHub was hit by the largest DDoS attack in history at that time: 1.35 terabits per second. Attackers used misconfigured Memcached servers (which use UDP port 11211) to amplify traffic 51,000×. A 203-byte request produced 100MB of UDP responses directed at GitHub. GitHub mitigated it using Akamai's Prolexic scrubbing service within 10 minutes — but not before the service was completely unreachable. Source: GitHub Engineering Blog, March 2018; Wired Magazine "GitHub Survived the Biggest DDoS Attack Ever Recorded."
Protocol: UDP Memcached | 1.35 Tbps | 51,000× amplification

Section 09

QUIC — Reimagining TCP on Top of UDP

QUIC is the most important evolution in transport protocols since TCP itself. It runs over UDP — inheriting its speed and deployability — while adding everything TCP provides and more, implemented entirely in user space.

0-RTT Connection Setup
vs TCP's 1.5 RTT + TLS
First connection: 1 RTT (crypto handshake combined with connection setup). Resuming a known server: 0 RTT — the first datagram already carries encrypted application data. TCP requires 1 RTT handshake + 1 RTT TLS = 2 RTTs before data. QUIC halves or eliminates this delay.
🔄
No Head-of-Line Blocking
TCP's fatal flaw — solved
TCP delivers all data in order — a lost packet stalls ALL streams behind it. QUIC multiplexes independent streams: a lost datagram only stalls its own stream. Loading 20 page assets simultaneously, one loss does not block the other 19. Chrome measured 15% faster page loads on lossy mobile links.
🔑
Integrated TLS 1.3
Encryption by default
QUIC encrypts everything — not just data but also most headers. Middleboxes cannot tamper with sequence numbers, ACKs, or stream IDs. This also means QUIC can evolve without middlebox interference. TCP's header fields are unencrypted and have been "ossified" — changing them breaks millions of firewalls.
💡
Why QUIC Is Built on UDP (Not a New Protocol Number)

Google originally designed QUIC in 2012. They tried to deploy it as a new IP protocol number (like TCP=6, UDP=17). But enterprise firewalls block everything except TCP and UDP. By running over UDP port 443 (HTTPS), QUIC passes through any firewall that allows web traffic — which is essentially every firewall everywhere. This is why UDP is not being replaced — it is the deployment vehicle for the next generation of the Internet.


Section 10

Golden Rules — UDP in Production

📌 Non-Negotiable Rules When Working with UDP
1
Always enable UDP checksum in IPv4 unless you have a specific reason not to. Leaving checksum at 0x0000 means corrupted datagrams are silently accepted. While hardware CRC catches most physical-layer errors, in-memory bit flips (rowhammer, cosmic ray events) on routers are real and go undetected without the checksum. In IPv6, the checksum is mandatory — no option.
2
Keep UDP payloads under 1472 bytes to avoid IP fragmentation. MTU on Ethernet is 1500 bytes. IP header = 20 bytes, UDP header = 8 bytes. Maximum safe payload = 1500 − 28 = 1472 bytes. Larger payloads are fragmented at the IP layer — and if any fragment is lost, the entire datagram is lost. DNS over UDP is limited to 512 bytes (RFC 1035) specifically because of this — EDNS0 extends it to 4096 bytes but at the risk of fragmentation.
3
Implement your own rate limiting if using UDP for server-to-client pushes. UDP has no congestion control — a UDP sender can flood the network without any backoff signal. The DCCP protocol and LEDBAT algorithm exist for this reason. If building a game server or media server, implement token bucket rate limiting or use BBR-inspired pacing to be a "good citizen" to other flows.
4
Close exposed UDP services or apply strict rate limiting — amplification is real. Never expose NTP monlist, Memcached UDP, SSDP, or CharGen to the public Internet. These are the top amplification attack vectors. Use: iptables -A INPUT -p udp --dport 11211 -j DROP for Memcached, and restrict NTP to known clients with restrict default noquery.
5
Use QUIC/HTTP/3 for new application protocols instead of raw UDP. QUIC gives you reliable streams, 0-RTT, TLS 1.3, and congestion control — without reinventing any of it. Only build on raw UDP if you have a genuine real-time constraint that QUIC's reliability model breaks (e.g. sub-5ms gaming position updates where any queuing is intolerable).
6
Don't block ICMP Port Unreachable (Type 3 Code 3) for UDP services. When a UDP datagram arrives at a closed port, the host sends ICMP Port Unreachable back to the sender. Blocking this causes the sender to wait for a timeout (usually several seconds) instead of detecting failure immediately. This silently breaks UDP applications and makes debugging extremely difficult.
7
Handle out-of-order and duplicate datagrams explicitly in your UDP application. If your application requires ordering, include a sequence number in your payload. If it requires exactly-once delivery, include a message ID and keep a short deduplication window. RTP (RFC 3550) is the gold standard for doing this in real-time media — study its design before building your own.
🎓
The Complete Picture

UDP is not a broken TCP. It is a deliberate design choice that says: "The application knows what it needs — here is the minimum viable transport." Its 8-byte header is a masterpiece of restraint: source port, destination port, length, and checksum. Nothing more.

It powers the resolution of every domain name on the Internet, the synchronisation of every clock, the automatic assignment of every IP address, every VoIP call, every video stream, every online game, and — through QUIC — 30% of all web traffic. Far from being the "unreliable" protocol to avoid, UDP is the foundation that modern high-performance applications are built on.

Understanding UDP's trade-offs — and building the right application-layer mechanisms on top of it — is what separates network-aware engineers from those who reach for TCP as a default and wonder why their real-time applications lag.