2

One of my servers is being flooded with udp packets on random ports.

12:11:54.190442 IP 182.48.38.227.60173 > localhost.51523: UDP, length 1
12:11:54.190447 IP 182.48.38.227.60173 > localhost.23769: UDP, length 1
12:11:54.190560 IP 182.48.38.227.60173 > localhost.4655: UDP, length 1
12:11:54.190564 IP 182.48.38.227.60173 > localhost.13002: UDP, length 1
12:11:54.190685 IP 182.48.38.227.60173 > localhost.52670: UDP, length 1
12:11:54.190690 IP 182.48.38.227.60173 > localhost.21266: UDP, length 1
12:11:54.190696 IP 182.48.38.227.60173 > localhost.7940: UDP, length 1
12:11:54.190810 IP 182.48.38.227.60173 > localhost.35950: UDP, length 1
12:11:54.190818 IP 182.48.38.227.60173 > localhost.62370: UDP, length 1
12:11:54.190828 IP 182.48.38.227.60173 > localhost.28225: UDP, length 1
12:11:54.190935 IP 182.48.38.227.60173 > localhost.56093: UDP, length 1
12:11:54.190939 IP 182.48.38.227.60173 > localhost.54250: UDP, length 1
12:11:54.190941 IP 182.48.38.227.60173 > localhost.15275: UDP, length 1
12:11:54.190948 IP 182.48.38.227.60173 > localhost.28750: UDP, length 1

I've got a lots of these. I know that if system gets an udp packet, it will check if any application want to handle it, if not, it will send a packet back. To prevent this I turned blackholing for udp on.

net.inet.udp.blackhole=1

I must add that I block every attacker with my pf (packet filter) and it seems to help, but he seems to have access to some botnet and changes source IP addresses like I change my socks OR he is just spoofing source ip of packets.

Anyway the attacker is still able to flood my server and I don't know how to defend from it.

I'd appreciate any help.

Graph showing incomming packets (you can see when the attack begins)

PS. I can't afford a hardware firewall ;)

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
Balon
  • 145
  • 1
  • 8

1 Answers1

2

The crucial data is this here:

length 1

meaning that someone probably is trying to keep its upstream load low to provoke larger answer packets from your host. The IP source address (182.48.38.227) is probably forged and thus itself an attack victim.

If you are experiencing network congestion due to the UDP load, your only chance of mitigating the impact is to ask your upstream provider to set up a filter rule to stop these UDP packets from being forwarded to your network.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • The problem is not with the network (it seems so to me, but I may be wrong), but with the system itself. When the attack starts, most services become unstable/unavailable, especially mysql server that becomes unavailable to other services. And it seems strange to me as mysql is not event accessable from the outside of the server. – Balon May 22 '11 at 11:18
  • Do you have high system load due to the UDP attack? Consider using an iptables rule in the INPUT chain to simply statelessly drop all incoming UDP traffic except for what you need to have (DNS from your resolver would be a likely candidate, maybe DHCP as well - if your system's address is dynamically configured). – the-wabbit May 22 '11 at 11:46
  • there's no iptables in FreeBSD; it ain't Linux. The basic idea is good though; there's no reason random UDP packets are making it through PF, if you don't specifically want it the last rule of your firewall (PF) should be `deny from any to any`. – Chris S May 22 '11 at 13:35
  • Oh, sorry, missed the "freebsd" tag, although "net.inet.udp.blackhole" and the mentioning of "pf" should have been suspicious enough. – the-wabbit May 22 '11 at 14:46