Linux block udp on low-level against DDOS

ddosdebian-wheezylinuxudp

My server is currently under DDOS attack with nearly 500k UDP packets per second.

UDP is blocked in iptables but the processor is still overloaded.

Any way to block UDP on a lower level to not pass the packet through all iptables chains/modules but drop it even before?

Best Answer

The earliest possible point of dropping packets is the iptables raw table, as shown in the diagram in https://unix.stackexchange.com/questions/243079/netfilter-iptables-why-not-using-the-raw-table

You can drop packets there in the PREROUTING chain like this:

iptables -t raw -A PREROUTING -p udp -j DROP

However, with this approach you are also dropping DNS responses for the requests initiated by your server, since processing of the raw table occurs before connection tracking takes place.

You can add allowed UDP hosts like this:

iptables -t raw -A PREROUTING -p udp -s !nnn.nnn.nnn.nnn -j DROP

where nnn.nnn.nnn.nnn is the IP address of the host where you want to receive UDP traffic with.

There can also be other consequences when disabling UDP traffic before connection tracking, depending on the server.

Related Solutions

Linux – Tactic to block a UDP spoofing attack

As you are stating that you "need the port", I assume that you are offering some kind of public service on the DoS-attacked UDP port. Using HAProxy would not help you as HAProxy

does not support the UDP transport
even if it did, it would not give you the means to differentiate "bad" packets from "good" ones - i.e. would not act as a filter

The available options depend on the characteristics of the "bad" packets.

If you could identify them out based on the header information (IP source/destination address, UDP source/destination port), your best bet would be to ask your ISP to filter packets matching the appropriate criteria.

If you need content inspection or state matching, the ISP probably is not going to be able to help (although it would not hurt to ask) but would need to set up an own packet filtering router able to filter by the defined criteria. pf/BSD as well as netfilter/Linux would likely be able to do the job.

Linux – IPTABLES for block sync flood over udp

If your firewall isn't already configured this way, default deny is the safer way to operate. This means that anything that isn't explicitly allowed is denied. For iptables, this means:

 iptables -P INPUT DROP

You can do this for the OUTPUT and FORWARD chains as well but OUTPUT in particular requires a little more discipline in managing what your server is allowed to connect to.

After disallowing everything, you allow what you want. Does your game listen for UDP traffic on ports 27015 and 27018? If so, add rules that allow that traffic in. Does the client always use a small range of source ports or even a single source port? If so, restrict the allowed packets to just those source ports. The first example you gave where the source port is 80 would be automatically blocked in that case. The other one might be depending on what source ports your client uses.

How are you determining that the firewall rules are not working? tcpdump attaches outside the firewall and hence will see packets that are destined to be dropped (or in the outbound direction, that have already passed the firewall). You can use a -j LOG rule to monitor specific parts of your chains or use in-application logging.

I'm not quite sure what you mean by "overload the udp ports". Does your application need to use a separate UDP port for each connecting IP address? Is there some shared resource that is acting as a bottleneck? Is all this UDP traffic just filling the networking hardware's buffers, causing the kind of latency associated with bufferbloat? If this last one is true, blocking using iptables won't even solve your problem.

Best Answer

Related Solutions

Linux – Tactic to block a UDP spoofing attack

Linux – IPTABLES for block sync flood over udp

Related Topic