LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-21-2011, 11:17 AM   #1
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Rep: Reputation: 3
Iptables configuration for UDP Flood


Hello.

I've searched a lot over this and I've come to this conclusion. Banning the IP is the best way to protect your server but of course, attacker can use another IP and use a lot of your bandwidth until you find and ban the IP. So the only thing we can do to prevent this is, block the packets my iptables length module.


I check the bandwidth usage through "iftop". Incoming traffic is always like 120kb/second and that has to be that way because the traffic enters my server no doubt that it gets dropped by iptables later.

The actual thing what the Ddos ( UDP Flood ) does it that it causes an outbound traffic that eats up like 5mb/second easily and my servers lag. Only if the IP is banned, the outbound traffic comes to an end.


Now I want to use the length module to block it but it just won't work. I've tried the following and shuffled them too but no help.

Code:
iptables -I INPUT -p udp -m length --length 15 -j DROP
iptables -A INPUT -p udp -m length --length 15 -j DROP
Packet length is 15 according to tcpdump:


Code:
19:49:34.504864 IP fms-02.colt.net.belgamanagement.be.56413 > nyc.v1servers.com.20100: UDP, length 15
Any helps ?
 
Old 02-21-2011, 11:22 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Have you looked into rate limiting? It puts a limit on the number of connections a particular IP can establish per unit time. One of the purposes is to stop DOS floods. You can specify ports and protocols, etc to fine tune what you want to protect too. Here is a link on the subject, though there are several of them available.
 
Old 02-22-2011, 01:02 AM   #3
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Original Poster
Rep: Reputation: 3
I'll consider that.

So if I see tcpdump log, what do you say would be a better rate to just block the dosing packets and not game server clients:

Code:
01:58:05.012780 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.012790 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.043078 IP MyHost.ssh > 119.152.102.100.10733: . 67448:70248(2800) ack 313 win 71
01:58:05.043471 IP MyHost.58056 > resolver1.opendns.com.domain:  38809+ PTR? 215.158.215.91.in-addr.arpa. (45)
01:58:05.060923 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.060949 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.060971 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.061140 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20400: UDP, length 15
01:58:05.061243 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.062186 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.062311 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20100: UDP, length 15
01:58:05.085449 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.085459 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.085467 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20400: UDP, length 15
01:58:05.085481 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.085617 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.086513 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.086709 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20100: UDP, length 15
01:58:05.109678 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.109762 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.109795 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.109901 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20400: UDP, length 15
01:58:05.110026 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.110946 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.111139 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20100: UDP, length 15
01:58:05.120628 arp who-has 85.17.233.62 tell localhost.localdomain
01:58:05.133953 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.133975 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.134015 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.134078 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20400: UDP, length 15
01:58:05.134239 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.135160 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.135348 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20100: UDP, length 15
01:58:05.151970 IP resolver1.opendns.com.domain > MyHost.58056:  38809 NXDomain 0/0/0 (45)
01:58:05.158286 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.158295 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.158402 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20400: UDP, length 15
01:58:05.158414 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.158538 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.159485 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.159675 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20100: UDP, length 15
01:58:05.182551 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.182648 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.182680 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20400: UDP, length 15
01:58:05.182688 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.182880 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.183775 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.183929 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20100: UDP, length 15
01:58:05.206773 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20102: UDP, length 15
01:58:05.206802 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.206860 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20300: UDP, length 15
01:58:05.207003 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20400: UDP, length 15
01:58:05.207133 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.208090 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
01:58:05.208208 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20100: UDP, length 15
01:58:05.215674 IP 119.152.102.100.10733 > MyHost.ssh: . ack 64700 win 257
01:58:05.215698 IP MyHost.ssh > 119.152.102.100.10733: P 70248:71596(1348) ack 313 win 71
 
Old 02-22-2011, 04:26 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
From your TCP dump, would you please identify the traffic that you wish to keep. I assume you want to block all of these:
Code:
01:58:05.110026 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
The only other traffic I see is some DNS and ssh traffic.

There are several ways you can block them: block the IP, block the whole provider they are using, block the port range, or put a connection limit on the number of connections a client can establish, which the email I showed you provides.

I can't tell you what connection limits to pick from your traffic. That is something you will need to determine and experiment with.
 
Old 02-22-2011, 05:34 AM   #5
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by Noway2 View Post
From your TCP dump, would you please identify the traffic that you wish to keep. I assume you want to block all of these:
Code:
01:58:05.110026 IP fms-02.colt.net.belgamanagement.be.timbuktu-srv1 > MyHost.20200: UDP, length 15
The only other traffic I see is some DNS and ssh traffic.

There are several ways you can block them: block the IP, block the whole provider they are using, block the port range, or put a connection limit on the number of connections a client can establish, which the email I showed you provides.

I can't tell you what connection limits to pick from your traffic. That is something you will need to determine and experiment with.
Yes that's the traffic I want to block.

I can BAN IP-address easily but that's when I arrive at server. Even before I arrive, the attacker easily spikes my port until I ban his IP. So I don't want that, I want to limit it even if I don't know his IP based on the attack he uses.

As you can see length is 15 but it doesn't work until I put length 43 in IPtables only in that case the outgoing traffic to this IP is null but sadly my server disappears from master server list + favorites list. We can only connect by IP. Idk what weird stuff is that ?


Rate limit could be good but I don't know what should be the command for rate and what number of packets / second.
 
Old 02-22-2011, 08:56 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Try something like this (assumes the interface is eth0, if not change it):

Code:
iptables -I INPUT -p udp --dport 20200:20400 -i eth0 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p udp --dport 20200:20400-i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 10 -j DROP
That will limit any ip to 10 connections per minute. Beyond that, they will be blocked temporarily until they fall below the limit. You will need to experiment to find what values work. It will stop a connection flood.
 
Old 02-23-2011, 01:31 AM   #7
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Original Poster
Rep: Reputation: 3
That looks good. I'll surely try that and respond.

The -i eth0 is optional right ?
 
Old 02-23-2011, 01:52 AM   #8
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Original Poster
Rep: Reputation: 3
Ok I tried it but it didn't work.

eth0 is my 1st IP.
eth0:0 is my 2nd IP.

Code:
iptables -I INPUT -p udp --dport 20100:20500 -i eth0 -m state --state NEW -m recent \
  --update --seconds 30 --hitcount 10 -j DROP
I saw using tshark and tcpdump that the IP makes like 5 connections per second and the command I entered is even beyond that so it should cover it easily but it doesn't look that its being blocked because with this command my IP makes 1 mb/s to the Doser's IP based on his incoming 50kb/s. Outgoing only becomes 0kb/s when the IP is banned.
 
Old 02-23-2011, 03:39 AM   #9
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Yes, the interface parameter is optional and if you leave it off, it will apply the rule to all interfaces, which is probably what you want.

To clarify, as your last post wasn't clear in this regard, you need to use BOTH iptables rules that I posted together as they work in tandem. Using only one of them won't work. The first rule, triggers the rule set on the establishment of a connection and the second one uses this information to rate limit.

Here is a slight variant on the above, modified for your application. Note, that in your initial code, you had traffic on ports below 20100 so I am not sure why you picked that as the lower range. I KNOW from experience that these lines work as I have used them on port 80 and locked myself out when viewing pages with Base (the snort viewer).

Code:
-A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --rsource -j DROP
-A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --set --name DEFAULT --rsource
 
Old 02-23-2011, 03:53 AM   #10
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Original Poster
Rep: Reputation: 3
That worked as a charm.

I'm very happy bro. Thanks a lot. Don't have words.
 
Old 02-23-2011, 04:25 AM   #11
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I am glad that it worked. You will want to watch your legitimate traffic for a while to make sure that you aren't having any side effects. Filtering techniques can be highly effective, but often times need to be tweaked a bit.
 
Old 06-04-2014, 04:49 AM   #12
obteo
LQ Newbie
 
Registered: Jun 2014
Location: Milan
Distribution: Debian, Ubuntu
Posts: 3

Rep: Reputation: Disabled
Question

Hello guys, i was in about to add some kind of DDoS protection to my VPS because of the constant lag caused by some idiot DDoS'er. I'm tring to run a SoF2 Gameserver, it uses the 20100 - 20500 UDP port, i tried to use what you suggested above but with no success.

doing this:

iptables -A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --rsource -j DROP
iptables -A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --set --name DEFAULT --rsource

i got back this:

iptables: No chain/target/match by that name.

Have you any other tip please?

Many thanks in advance.

Last edited by obteo; 06-04-2014 at 05:02 AM.
 
Old 06-04-2014, 07:16 AM   #13
tombelcher7
Member
 
Registered: Feb 2008
Location: Surrey
Distribution: Debian
Posts: 181

Rep: Reputation: 5
From the initial comments it sounds like you've tried the black listing approach; it might be easier to white list IP's instead i.e. block everything and allow communications to/from known subnets or host addresses.

This is my 2 cents worth 'so to speak'
 
Old 06-04-2014, 10:19 AM   #14
obteo
LQ Newbie
 
Registered: Jun 2014
Location: Milan
Distribution: Debian, Ubuntu
Posts: 3

Rep: Reputation: Disabled
Quote:
Originally Posted by tombelcher7 View Post
From the initial comments it sounds like you've tried the black listing approach; it might be easier to white list IP's instead i.e. block everything and allow communications to/from known subnets or host addresses.

This is my 2 cents worth 'so to speak'

if you a wizard to know every single IP connecting to a gameserver what u wrote has sense. otherwise it may be considered spam just to confuse who can help me or other or just to have +1 post.

said that i tried this:

iptables -A INPUT -p udp --dport 20100:20500 -m limit --limit 1/s --limit-burst 2 -j DROP

what's wrong please and what can be improved to "block" DDoS Attack vs an IP which looks like this: XXX.XXX.XXX.XXX:20100 (UDP connection)

many thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows UDP Flood? hoodez Linux - Networking 4 08-17-2010 08:17 PM
iptables rules against udp flood and ddos attack callbiz Linux - Networking 12 02-19-2010 08:13 AM
Flood of UDP 59002 from various IP's gadgetx23 Linux - Security 12 02-13-2010 07:58 AM
udp flood behind router darthaxul Linux - Software 3 08-17-2008 10:25 AM
Filter UDP flood using iptables LandRover Linux - Security 1 10-18-2007 05:18 PM


All times are GMT -5. The time now is 08:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration