Linux – iptables drop not working with udp flood, causing high ping

debianiptableslinux

I'm currently running a game server on port 27015 under debian. According to the output of:

tcpdump -n -i any dst host xx.xxx.xxx.xxx

The server is getting flooded with:

19:34:48.388401 IP xx.xx.x.xxx.52954 > xx.xxx.xxx.xxx.27015: UDP, length 0
19:34:48.388405 IP xx.xx.x.xxx.52954 > xx.xxx.xxx.xxx.27015: UDP, length 0
19:34:48.388407 IP xx.xx.x.xxx.52954 > xx.xxx.xxx.xxx.27015: UDP, length 0

And the ping of the game server is hitting 1000+ (only affecting the server running on this port on this ip, not the whole machine)

I setup a drop rule for the offending IP address:

iptables -A INPUT -s xx.xx.x.xxx -j DROP

However the ping of the server is still through the roof. Is there anything more i can do? I still see the flood coming in with tcpdump however that seems to be normal according to random google sources.

Best Answer

This sound to me like a DoS attack, which means that you can't do anything except ignoring the attacker which you've already done. You might also want to ask your ISP to block him.

As for tcpdump still seeing those packets, this is normal. They still exist on the network, but the kernel makes sure that a regular application doesn't see them.

Related Solutions

Linux – IPTABLES for block sync flood over udp

If your firewall isn't already configured this way, default deny is the safer way to operate. This means that anything that isn't explicitly allowed is denied. For iptables, this means:

 iptables -P INPUT DROP

You can do this for the OUTPUT and FORWARD chains as well but OUTPUT in particular requires a little more discipline in managing what your server is allowed to connect to.

After disallowing everything, you allow what you want. Does your game listen for UDP traffic on ports 27015 and 27018? If so, add rules that allow that traffic in. Does the client always use a small range of source ports or even a single source port? If so, restrict the allowed packets to just those source ports. The first example you gave where the source port is 80 would be automatically blocked in that case. The other one might be depending on what source ports your client uses.

How are you determining that the firewall rules are not working? tcpdump attaches outside the firewall and hence will see packets that are destined to be dropped (or in the outbound direction, that have already passed the firewall). You can use a -j LOG rule to monitor specific parts of your chains or use in-application logging.

I'm not quite sure what you mean by "overload the udp ports". Does your application need to use a separate UDP port for each connecting IP address? Is there some shared resource that is acting as a bottleneck? Is all this UDP traffic just filling the networking hardware's buffers, causing the kind of latency associated with bufferbloat? If this last one is true, blocking using iptables won't even solve your problem.

Iptables rules for botnet (UDP flood) protection

The only iptable rules that would help you even remotely would be dropping all traffic coming in on those ports. The problem with that is that your service will go down as well. The only thing you can do is talk to your ISP and ask them to drop all incoming udp traffic before it reaches you.

Best Answer

Related Solutions

Linux – IPTABLES for block sync flood over udp

Iptables rules for botnet (UDP flood) protection

Related Topic