someone's been flooding my server with UDP.. and i tried to ban IP and/or port with APF, but no available... any clue how to ban it?

problem is, it doesn't show up on netstat.

but it DOES show up on IPTraf/Ethereal.

it's UDP (46 byte) spam from 213.92.42.41:32913 to myserver:9898
another being UDP from 213.30.153.62(forgot the port)...

I DO use BFD + APF. and I've added those IPs into deny_hosts.rules and port 9898 into common drop ports, but no available.

I've tried to block it from iptables, didn't work. tried to use firestarter.. backfired and blocked myself.XD

Is there any chance that the flood is originating from your server? I had a problem once where a machine on my network (winblows of course) was the origination. Since I was only dropping packets originating from outside the firewall, it didn't deny the flood. So I denied that port/IP outgoing from my network until I could track down the machine and isolate it.

Not familiar with firestarter, I always use fwbuilder to make my own custom firewalls. It's pretty robust and allows me to make some pretty complex rules fairly easily.

looking at the IPs, i doubt it? my server is 64.92.xx.xx

There are a few things to note:

If you're sniffing with Ethereal from inside your network and the traffic is originating within your network, you're going to see it, even if you've a firewall rule in place to block the traffic.

Sometimes when using sniffers, its easy to misinterpret the traffic's direction, depending on the events happening. With snort, its usually easy to misinterpret web traffic because the tool alarms on system response. I've no idea about Ethereal, though, but I'm betting this traffic is coming from within your network...OR, its coming from outside your network but you haven't blocked the traffic properly...OR, you have blocked the inbound traffic correctly but the exploit is possibly taking advantage or a firewall vulnerability or is somehome circumventing your border firewall.

Can you post your Ethereal capture, if you're willing?

attack has been stopped.

when attack was on-going, leaving ethereal on for, let's say, 3 sec, would create 15MB file.. lol. =d

and "destination" was my server. so i would say either "its coming from outside your network but you haven't blocked the traffic properly...OR, you have blocked the inbound traffic correctly but the exploit is possibly taking advantage or a firewall vulnerability or is somehome circumventing your border firewall." but possibly latter, since it is bypassing iptables/apf's IP ban.

*edited*
hmm, the person started attack again. i would get you ethereal capture, but i can't connect to the server due to high bandwidth usage.. but ya, port 9898 again.

*edited 2*
appearantly it IS hard to drop... he's claiming that he took tibia.com/muonline.com with same/similar method

http://andzropatch.deltaanime.net/Screenshot.png

he attacked again, so I got a screenshot of ethereal.

YOU DID THAT MISTAKE AGAIN. Revealing your IPs through screenshot.
Damn.. Try to block that IP from the router or anything that is connected to your firewall, Or better still convince your ISP to block everything coming from that IP.

regards
Manjunath

who said it was my current IP? =p

tried to block all udp. no success.
tried to block IP. no success(as it is forged, most likely)
tried to secure as much as possible. no success.
tried to contact the host. they denied the request. >_>
=d