2

The packets are margin of 200,000 ~ 800,000 per second and UDP spoofed(0 bytes/46bytes)

I have a linux deb 6 and windows server 2003 that is taking a hit.

Current idea: - Setup a proxy server up front to filter out the attack. Would HAProxy work? Do I need a BSD box with PF? What do I need to look for to filter? I need the port being hit but there must be a way to filter and block bad packets?

Tiffany Walker
  • 6,681
  • 14
  • 56
  • 82

1 Answers1

2

As you are stating that you "need the port", I assume that you are offering some kind of public service on the DoS-attacked UDP port. Using HAProxy would not help you as HAProxy

  1. does not support the UDP transport
  2. even if it did, it would not give you the means to differentiate "bad" packets from "good" ones - i.e. would not act as a filter

The available options depend on the characteristics of the "bad" packets.

If you could identify them out based on the header information (IP source/destination address, UDP source/destination port), your best bet would be to ask your ISP to filter packets matching the appropriate criteria.

If you need content inspection or state matching, the ISP probably is not going to be able to help (although it would not hurt to ask) but would need to set up an own packet filtering router able to filter by the defined criteria. pf/BSD as well as netfilter/Linux would likely be able to do the job.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174