I've been hosting game-servers since a long time and I keep updating my iptables firewall time and again to block most attacks. One of my game-server port is being flooded with "SSDP" requests and my game-server replies to that with a "disconnect" packet.
Here is how the stream is established coming from Source Port 1900 while the destination is my game-server port,
http://paste.ubuntu.com/8099734/
I have the following iptables configuration that should have been blocking the outgoing "disconnect" packets but it's not working anymore and I have no idea why.
http://paste.ubuntu.com/8099779/
I have temporarily blocked input from UDP source-port 1900 but that is not a good enough solution as my game-server is vulnerable to many other packets so the outgoing "disconnect" packet is something that has to be blocked.
I'm not sure if -m multiport match might be required to block this?
Best Answer
I notice that what you are receiving looks like a reply package, not a request.
So most likely this is an amplification type attack, where they send a small request to SSDP enabled devices on the net, but with your IP spoofed as originator. So when all these devices send their reply, you get 'em.
As an added side effect, your service has no idea what they are talking about and have no choice but to "disconnect" them (which the game server apparently does by sending the text disconnect).
I dont understand why you are targeting your reply to this. Id try going for the incoming package instead, with something like: