Iptables – udp flooding prevention using iptables

ddosdenial-of-serviceiptablesudp

i want prevent udp flooding so i think if i drop all udps that don't come from the internal network and not relate to a udp connection i can prevent udp flooding. in the other word if only udps that come from internal network and also udps that come from external network but isn't the first and relate to a udp connection accept and others drop the udp flooding not occur and i think this iptable code that i write can work

# accept any packet that's a response to anything we sent
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p udp -s 8.8.8.0/24 -j ACCEPT

iptables -A INPUT -p udp -j DROP

8.8.8.0/24 is the address of my internal network.
do you think is it true? my code is true?

Best Answer

You won't accomplish much even if your iptables statements were correct.

UDP is stateless. This means that I can send arbitrary & large UDP packets to your server. These packets will be DROPped by the kernel if there is no process listening on the destination UDP port. The traffic has still crossed the internet and hit your modem/demarc.

The only thing you will be able to prevent with UDP dropping is to prevent the flooding of ports associated with a running service. EG: I can craft large DNS packets and send them via UDP you your DNS server's port. The server will presumably ACCEPT those packets and attempt to process them. It is this processing that blocking MIGHT help.

You are going to have a bad time if you try to block arbitrary UDP packets. DHCP, DNS, RPC, NFS, NTP, etc... A ton of important network protocols run over UDP. These will need to be allowed.

I suggest you take another look at your network. IF you are having a problem with UDP flooding, you can look at addressing the exact cause and then possible solutions.

If you are being flooded with large UDP packets that are filling your upstream bandwidth look at getting more bandwidth or DDoS protection.

If some application is misbehaving because of the flood, consider fixing the application, using a better one, or getting crazy with some kind of layer 7 firewall to pre-screen packets.

Finally, if you just think blocking UDP flooding is a good idea because....? ...? It's probably not. It will likely break more than it solves unless you have a specific UDP flood issue.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

iptables – Using ‘-p udp –state ESTABLISHED’ in iptables

So, iptables basically remembers the port number that was used for the outgoing packet (what else could it remember for a UDP packet?),

I am pretty sure for UDP the source and destination ports and addresses are stored.

If you want to inspect the state tables install conntrack and/or netstat-nat.

(What would happen, if I accidentally tried to start a service on that port within the timeframe - would that attempt be denied/blocked?)

Since you are using OUTPUT and INPUT your are talking about local services. The port is already used I don't believe your system will allow you to start up another service since something is already listening on that port. I guess you could stop the first service and start another if you really wanted to though, in that case the response would probably get to your service. What the service does with the packet depends on what the contents of the packet is, and what service it is.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

iptables – Using ‘-p udp –state ESTABLISHED’ in iptables

Related Topic