IPTables : prevent UDP Flooding

ddosiptables

I want to stop the UDP flooding on the Linux device.

I have written a simple IPTable rule to drop all UDP packets

iptables -A INPUT -p udp DROP

But still the DoS attack happens and the device gets hanged. Any clue on how to prevent a UDP flooding?

Every Answer is appreciated.

Best Answer

Block the traffic at an upstream router. You can't make those packets magically disappear, so if your device is so underpowered that it can't handle dropping UDP packets, you'll need to do that with another device.

Related Solutions

Iptables – How to test if SYN and FIN are both dropped at the same time in hping3

I use nmap:

# nmap --scanflags SYN,FIN HOSTNAME
# iptables -nv -L
Chain INPUT (policy ACCEPT 866K packets, 457M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  120  5280 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03

Linux – iptables rate-limit module problem

Your rule does not appear to specify any particular origin. After accepting 20 NEW connections in a minute, it stops accepting NEW connections.

You need to use the recent module in order for iptables to remember where the connections are coming from and blocking people that connect too fast from the same address. This takes two rules: one for iptables to "learn" the address, and then one for iptables to see how many times that address has hit the server in the specified time:

/sbin/iptables -A INPUT -p TCP -m state --state NEW -d xx.xxx.xxx.xx --dport 80 -m recent --set
/sbin/iptables -A INPUT -p TCP -m state --state NEW -d xx.xxx.xxx.xx --dport 80 -m recent --update --seconds 60 --hitcount 20 -j DROP

This article goes into more details.

Best Answer

Related Solutions

Iptables – How to test if SYN and FIN are both dropped at the same time in hping3

Linux – iptables rate-limit module problem

Related Topic