|
|||
supress UDP ddos attack
Hi guys,
One of the IPs on my system is being subjected to occasional UDP floods (i can tell it's UDP by checking out the bandwidthd output for that IP). Whilst the rest of the network remains completely stable due to decent firewalls in use at the data-centre i can't help thinking that there's more i can be doing to limit the effect of these attacks via my software firewall (pf). I tried experimenting with the following rule; Code:
pass inet proto udp from any to x.x.x.x \ keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload <bruteforce> flush global) Thanks, Chris |
|
|||
If thousand people are standing in front of your house and yell that they want money from you, you can refuse to open the front door and not let them in. But the newspaper boy and the mail man will still have trouble to reach your house to deliver the paper and your mail
The best way is to report this IP to the netblock owner or ask your upstream ISP do that. The whois command line program will tell you who is the netblock owner.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I find the abuse staff at most IP's are quite slow... and when they do respond they really can't do much more then blocking the certain individual..
Typically though, they won't do anything the first initial attempt... the Internet is an active place, tolerate it.. and make sure your network is adequately secure. |
|
||||
From blackhole(4):
Quote:
__________________
Kill your t.v. |
|
|||
Here is my $0.02:
If one of your server is getting UDP flooded 'occasionally' you might want to check and make sure that the server has not been compromised. "Script kiddies" throughout the world are scanning for vulnerable ssh accounts, PHP exploits, and lame duck IIS installs. If you're lucky the 'kiddies' just set up an IRC client/bouncer on your server and use it to swap 'warez' and taunt other "script kiddies". Eventually someone gets annoyed and they launch a DoS attack against your server. Last edited by KernelPanic; 9th July 2008 at 02:50 PM. Reason: Typos |
Thread Tools | |
Display Modes | |
|
|