Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Udp Flood
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Udp Flood

FoulFoul Member
in Help

So i've exhausted all options here.. Iptables and etc

But the UDP floods(spoofed ips) keep getting through

[root@serv888 ~]# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:17:52.504507 IP 207.46.150.153.1024 > serv888-97-**.*.net.mns-mail: UDP, length 459 16:17:52.504515 IP 23.102.174.102.1024 > serv888-97-**.*.net.23989: UDP, length 633 16:17:52.504521 IP 23.102.174.102.1024 > serv888-97-**.*.net.30898: UDP, length 676 16:17:52.504526 IP 207.46.150.153.1024 > serv888-97-**.*.net.25766: UDP, length 673 16:17:52.504531 IP 207.46.150.153.1024 > serv888-97-**.*.net.20165: UDP, length 174

It just keeps going endlessly and iptables isn't dropping the UDP attack..

Can you offer some advice on how i'd go about blocking this?

Comments

  • grillmastergrillmaster Member

    Are you sure iptables isn't dropping the attack? This is all incoming, which can't be stopped. The only thing you can stop is outgoing packets that respond to the flood.

    You might want to look into a provider with ddos protection.

  • perennateperennate Member, Host Rep

    http://seclists.org/tcpdump/2014/q1/114

    Thanked by 1Foul
  • agentsmithagentsmith Member
    edited August 2014

    What's the output of

    tcpdump -lnvi eth0
  • tr1ckytr1cky Member

    If your line gets exhausted there's no way of stopping it on the server level, another option would be to counterattack. Just send a big udp flood to the attacking IP and it will stop attacking you, as their port will saturate.

    Thanked by 1jtl999
  • perennateperennate Member, Host Rep

    tr1cky said: If your line gets exhausted there's no way of stopping it on the server level, another option would be to counterattack. Just send a big udp flood to the attacking IP and it will stop attacking you, as their port will saturate.

    Same for NSA, if the NSA hacks you then you should counterhack them back, and then say you didn't know it was NSA.

    Thanked by 2ErawanArifNugroho jtl999
  • agentsmithagentsmith Member
    edited August 2014

    If packets are dropped it saves you sending icmp unreachable messages, but downstream is saturated anyway. Can only be solved to block at uplink router.

    What services do you run there that might be a target?

  • FoulFoul Member

    @agentsmith said:
    If packets are dropped it saves you sending icmp unreachable messages, but downstream is saturated anyway. Can only be solved to block at uplink router.

    What services do you run there that might be a target?

    It's just a simple game powered by python.

  • Mark_RMark_R Member
    edited August 2014

    you always could use www.x4b.net if you're tired of messing around with firewalls n stuffs, its a affordable solution to your problem. Make sure that the server IP that is being attacked gets replaced first with a new one - otherwise putting x4b.net in front wont help at all since the attacker knows the real server IP already.

  • yhuzayhuza Member

    @Foul said:
    So i've exhausted all options here.. Iptables and etc

    But the UDP floods(spoofed ips) keep getting through

    [root@serv888 ~]# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:17:52.504507 IP 207.46.150.153.1024 > serv888-97-**.*.net.mns-mail: UDP, length 459 16:17:52.504515 IP 23.102.174.102.1024 > serv888-97-**.*.net.23989: UDP, length 633 16:17:52.504521 IP 23.102.174.102.1024 > serv888-97-**.*.net.30898: UDP, length 676 16:17:52.504526 IP 207.46.150.153.1024 > serv888-97-**.*.net.25766: UDP, length 673 16:17:52.504531 IP 207.46.150.153.1024 > serv888-97-**.*.net.20165: UDP, length 174

    It just keeps going endlessly and iptables isn't dropping the UDP attack..

    Can you offer some advice on how i'd go about blocking this?

    please make comnd tcpdump -nn -vv -xx then if you see
    please inbox me, i can make you rule firewall iptables with string u32 or string hex

  • MicrolinuxMicrolinux Member

    tr1cky said: Just send a big udp flood to the attacking IP and it will stop attacking you, as their port will saturate.

    Not a lot of ports running half-duplex these days . . .

  • NyrNyr Community Contributor, Veteran

    @tr1cky said:
    Just send a big udp flood to the attacking IP and it will stop attacking you, as their port will saturate.

    That's incredibly stupid advice.

    And you know many UDP floods are spoofed traffic anyway, yeah?

  • nexmarknexmark Member

    @Nyr said:
    And you know many UDP floods are spoofed traffic anyway, yeah?

    Which means the source is unknown thus that a counter attack is rendered useless.

  • NyrNyr Community Contributor, Veteran

    @nexmark said:
    Which means the source is unknown thus that a counter attack is rendered useless.

    And he could be attaching an innocent (or a compromised server at best). And it's illegal and asking for trouble anyway.

Sign In or Register to comment.