supress UDP ddos attack

[chris]

Hi guys,
One of the IPs on my system is being subjected to occasional UDP floods (i can tell it's UDP by checking out the bandwidthd output for that IP). Whilst the rest of the network remains completely stable due to decent firewalls in use at the data-centre i can't help thinking that there's more i can be doing to limit the effect of these attacks via my software firewall (pf). I tried experimenting with the following rule;

Code:

pass inet proto udp from any to x.x.x.x \
        keep state \
        (max-src-conn 100, max-src-conn-rate 15/5, \
         overload <bruteforce> flush global)

I *think* it helped a little but not as much as i'd like. First of all is there really any point in implementing this sort of protection and if so how can i make best use of pf to stop these attacks crippling the IP in question?

Thanks,
Chris

[J65nko]

If thousand people are standing in front of your house and yell that they want money from you, you can refuse to open the front door and not let them in. But the newspaper boy and the mail man will still have trouble to reach your house to deliver the paper and your mail

The best way is to report this IP to the netblock owner or ask your upstream ISP do that. The whois command line program will tell you who is the netblock owner.

[BSDfan666]

I find the abuse staff at most IP's are quite slow... and when they do respond they really can't do much more then blocking the certain individual..

Typically though, they won't do anything the first initial attempt... the Internet is an active place, tolerate it.. and make sure your network is adequately secure.

[anomie]

From blackhole(4):

Quote:

In the UDP instance, enabling blackhole behaviour turns off the sending
of an ICMP port unreachable message in response to a UDP datagram which
arrives on a port where there is no socket listening. It must be noted
that this behaviour will prevent remote systems from running
traceroute(8) to a system.

The blackhole behaviour is useful to slow down anyone who is port scan-
ning a system, attempting to detect vulnerable services on a system. It
could potentially also slow down someone who is attempting a denial of
service attack.

Might be worth exploring in your case.

[KernelPanic]

Here is my $0.02:

If one of your server is getting UDP flooded 'occasionally' you might want to check and make sure that the server has not been compromised.

"Script kiddies" throughout the world are scanning for vulnerable ssh accounts, PHP exploits, and lame duck IIS installs. If you're lucky the 'kiddies' just set up an IRC client/bouncer on your server and use it to swap 'warez' and taunt other "script kiddies". Eventually someone gets annoyed and they launch a DoS attack against your server.