UDP Flood Gameserver

Newlife · 08-25-2017, 12:45 PM

Hello everyone,

my server is getting an udp syn flood, I tried several things on the Internet for about 3 hours now and nothing did really work.

First I tried to limit the incoming connections per IP with :

Code:

iptables -I INPUT -p udp --dport 6666 -i eth0 -m state --state NEW -m recent --set --name flood --rsource
iptables -I INPUT -p udp --dport 6666 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name flood --rsource -j DROP

But It didn't really help at all AFAIK. I also tried to cut it down to the packet length but that also did not help. Since I'm not familiar with the iptables ratelimit settings, I hope someone could lead me in the right direction.

Best Regards

lazydog · 08-25-2017, 04:28 PM

First question is are you sure that these are the ports being used for the UDP flood? UDP can come over any port and there is no such thing as SYNC in UDP.

Fire up wireshark and do a capture to see what UDP port is being hammered.

Newlife · 08-25-2017, 07:56 PM

Hi,

yes it's this port because I can see the connects in my gameserver logs, I already made a capture of it and it's always a specific length of 60 from spoofed random IP's

lazydog · 08-26-2017, 02:07 AM

Here is what I would use but the problem with UDP is you might also drop legitimate traffic too.

Code:

iptables -N udp-flood
iptables -A INPUT -p udp -j udp-flood
iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
iptables -A udp-flood -j DROP

If you don't want to log them remove the LOG rule.