I have blocked an attacker IP that was sending me lots of UDP packets.
iptables -I INPUT 1 -s IP_OF_ATTACKER -j DROP
This rule was working all fine.
iptables -nvL --line-numbers
22G traffic was blocked for 2-3 days:
num pkts bytes target prot opt in out source destination
1 3203K 22G DROP all -- * * ATTACKER_IP 0.0.0.0/0
However, from last 2-3 days, this rule isn't working anymore. Attacker is sending UDP packets and iptables are not blocking them.
num pkts bytes target prot opt in out source destination
1 707K 3553M DROP all -- * * ATTACKER_IP 0.0.0.0/0
What could be the reason?
PS: Please do not suggest about contacting hosting provider if they were any help I wouldn't be here
Edit
I used wireshark/tcpdump to analyze/capture packets. It shows all packets are UDP. I use iptables command (as mentioned above) to see how much data iptables rule has blocked. Above is the output of iptables blocked data. When iptable was blocking all the data, our server was working all fine.
**IP Table rules**
# Generated by iptables-save v1.4.21 on Mon Jun 15 23:26:40 2015
*raw
:PREROUTING ACCEPT [8393:667810]
:OUTPUT ACCEPT [7043:795032]
COMMIT
# Completed on Mon Jun 15 23:26:40 2015
# Generated by iptables-save v1.4.21 on Mon Jun 15 23:26:40 2015
*nat
:PREROUTING ACCEPT [2517:112725]
:INPUT ACCEPT [2517:112725]
:OUTPUT ACCEPT [1018:179752]
:POSTROUTING ACCEPT [1018:179752]
COMMIT
# Completed on Mon Jun 15 23:26:40 2015
# Generated by iptables-save v1.4.21 on Mon Jun 15 23:26:40 2015
*mangle
:PREROUTING ACCEPT [8393:667810]
:INPUT ACCEPT [8393:667810]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7043:795032]
:POSTROUTING ACCEPT [7043:795032]
COMMIT
# Completed on Mon Jun 15 23:26:40 2015
# Generated by iptables-save v1.4.21 on Mon Jun 15 23:26:40 2015
*filter
:INPUT ACCEPT [23:1500]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18:2068]
:fail2ban-ssh - [0:0]
-A INPUT -s xx.xxx.xx.xx/32 -j DROP
COMMIT
# Completed on Mon Jun 15 23:26:40 2015