Iptables – Handling UDP Packets and Possible DDoS on Debian Jessie

debian-jessienetworkingudp

Debian 8 –
I've been aplying some rules to avoid UDP flood but i'm not sure if they will work, i have the log from my anti-DDoS and it's a very large attack (about 70gbs)

This are the rules i applied on the OS.

iptables -A INPUT -i eth0 -p udp --sport 123 -m limit --limit 1/s --limit-burst 1000 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --limit-burst 1000 -j ACCEPT

Anti-DDoS Log (There are like 200-300 ips more with same packets/length)

2019-01-21 02:01:21 UTC IP 24.103.40.174:123 > myhost:3866 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 206.54.223.145:123 > myhost:59733 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 58.186.102.236:123 > myhost:56048 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 202.125.157.74:123 > myhost:59733 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 87.241.143.27:123 > myhost:3866 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 80.11.26.127:123 > myhost:59733 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 190.67.183.22:123 > myhost:21180 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 175.18.90.38:123 > myhost:59733 UDP, length 1835036, packets 4096

Any recommendation to avoid/block this expecific UDP Flood attack?
I also blocked all the ports except the ones i'm using it but still the attack can go through.

Best Answer

When you block the UDP packets in the Netfilter filter table, the packets still trigger connection tracking entry creation in the box.

This causes extra resource consumption on the server.

In order to avoid connection tracking entry creation, you need to use the raw table to filter your packets.

iptables -t raw -A PREROUTING -i eth0 -p udp --sport 123 -m limit --limit 1/s --limit-burst 1000 -j ACCEPT
iptables -t raw -A PREROUTING -i eth0 -p udp -m limit --limit 1/s --limit-burst 1000 -j ACCEPT

However, this only helps if your server's processing capacity is the bottleneck.

If the DDoS fills your server's network connection capacity, there is nothing you can do on the actual server to protect yourself from the flood.

This is because the upstream router still sends all those packets to your server via the connection, capping the capacity of the link.

In this case, the only solution is to consult your upstream network provider for help in mitigating the DDoS.

Related Topic