Debian 8 –
I've been aplying some rules to avoid UDP flood but i'm not sure if they will work, i have the log from my anti-DDoS and it's a very large attack (about 70gbs)
This are the rules i applied on the OS.
iptables -A INPUT -i eth0 -p udp --sport 123 -m limit --limit 1/s --limit-burst 1000 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --limit-burst 1000 -j ACCEPT
Anti-DDoS Log (There are like 200-300 ips more with same packets/length)
2019-01-21 02:01:21 UTC IP 24.103.40.174:123 > myhost:3866 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 206.54.223.145:123 > myhost:59733 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 58.186.102.236:123 > myhost:56048 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 202.125.157.74:123 > myhost:59733 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 87.241.143.27:123 > myhost:3866 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 80.11.26.127:123 > myhost:59733 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 190.67.183.22:123 > myhost:21180 UDP, length 1835036, packets 4096
2019-01-21 02:01:21 UTC IP 175.18.90.38:123 > myhost:59733 UDP, length 1835036, packets 4096
Any recommendation to avoid/block this expecific UDP Flood attack?
I also blocked all the ports except the ones i'm using it but still the attack can go through.
Best Answer
When you block the UDP packets in the Netfilter
filter
table, the packets still trigger connection tracking entry creation in the box.This causes extra resource consumption on the server.
In order to avoid connection tracking entry creation, you need to use the
raw
table to filter your packets.However, this only helps if your server's processing capacity is the bottleneck.
If the DDoS fills your server's network connection capacity, there is nothing you can do on the actual server to protect yourself from the flood.
This is because the upstream router still sends all those packets to your server via the connection, capping the capacity of the link.
In this case, the only solution is to consult your upstream network provider for help in mitigating the DDoS.