LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-05-2012, 09:11 PM   #1
farenheitcx
LQ Newbie
 
Registered: Nov 2011
Posts: 8

Rep: Reputation: Disabled
Exclamation IPTABLES to block sync flood over udp port


Im victim of a sync flood attack over udp port, this came from a lot of different ips. The machine, dedicated server, is hlds game server, and the attacker overload the udp ports, this cause a big trouble ingame, with packet loss and high ping for every user in the game.

The server is under linux, with iptables activated, and for now, with some rules to stop this attack, but nothing happend for my lucky.

TCPDUMP LOG (not all)
Quote:
22:04:48.662622 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662627 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662630 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662639 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662647 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662650 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662659 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5

22:04:50.740788 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740795 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740802 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740808 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740815 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740821 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740828 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740835 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740842 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740848 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740855 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740862 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740868 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5

IPTABLES
Quote:
iptables -A INPUT -p udp -m length --length 5 -j DROP
iptables -A INPUT -p udp -m multiport --dport 20000:60000 -m state --state NEW -m recent --set --name HLDSFLOOD
iptables -A INPUT -p udp -m multiport --dport 20000:60000 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 --name HLDSFLOOD -j DROP
Thanks in advance. Let me know if you need more info to solve this kind of attack.
 
Old 08-06-2012, 06:59 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
That rule sounds a little cpu intensive... maybe increase --seconds to 60, also make sure your HLDS is up to date.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables configuration for UDP Flood AsadMoeen Linux - Server 13 06-04-2014 10:19 AM
iptables rules against udp flood and ddos attack callbiz Linux - Networking 12 02-19-2010 08:13 AM
Filter UDP flood using iptables LandRover Linux - Security 1 10-18-2007 05:18 PM
Stopping UDP Packtet Flood on Port: 28960 murder Linux - Security 6 09-19-2005 09:42 PM
Stoping UDP Packtet Flood on Port: 28960 murder Linux - Networking 1 09-19-2005 08:43 AM


All times are GMT -5. The time now is 06:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration