Block an IP for UDP

Question

I am under UDP flood attack. I used following protections to solve it:

iptable IP ban:

iptables -I INPUT -s 37.187.231.xxx -j DROP

Tried another iptable syntax

/sbin/iptables -I INPUT -i eth0 -s 37.187.231.xxx -j DROP

Tried to limit the UDP packets:

iptables -A INPUT -p udp -m udp --dport 0:65535 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 --name UDP --rsource -j DROP

Completely disabled UDP packets:

iptables -A INPUT -p udp -j DROP

All the ports are closed. Below is the output of - netstat -an | grep "udp"

udp        0      0 127.0.0.1:53            0.0.0.0:*
udp6       0      0 ::1:53                  :::*

I have following software installed:

Ubuntu 14.04
UFW Firewall
i7 processor with 16GB Ram

Only port 80 is opened.

I am still being attacked by UDP flood. "sudo iftop -n" command shows heavy MBs input traffic from the IPs I have already blocked using IP tables. Maybe iptables did not block the IPs? If yes then how can I fix it?

What makes you think you're not filtering them? Blocking them with `iptables` doesn't prevent them from coming down your connection, or showing up on `iftop`; it only prevents apps on your system from being fed them to process. If you really are being DOSsed, you will need to work with your upstream provider in order to mitigate the traffic. — MadHatter, May 13 '15 at 15:40
Good question. I am not expert but that is my assumption. sudo iftop -n shows heavy MBs traffic from the IPs that I have already banned using iptables. So that person is still sending loads of traffic on my server? Is there a better way to block an IP permanently? — Niky, May 13 '15 at 15:44
Hi, IPTables will be an stressful solution because you must block one by one the IP addresses attackers, but the attacker can change his IP address as much as he can, Do you accept another option for a solution? — ravasquezgt, May 13 '15 at 15:46
I have kimsufi server. They do not provide any help or support :( I am by my own. The person who is dosing my server is openly saying it :) He comes and says "now server is going down ta ta". Then traffic increases and server become irresponsive. — Niky, May 13 '15 at 15:46
I don't think you're quite getting my point. In all likelihood, **you are blocking the traffic**. But that doesn't stop people from sending it to you; that is not something you can achieve from where you are. You will need to work with your hosting provider to get them to stop passing the traffic to you, if it's overwhelming your connection. — MadHatter, May 13 '15 at 15:47
@ravasquezgt Thanks for your message. The attacker is only using 10 IPs and I do not mind blocking his new IPs but at least it should work. I am open to any solution as long as I can overcome this problem. — Niky, May 13 '15 at 15:48
It doesn't help if you block the IPs on your own server, because the traffic floods up the connection between your server and the Internet. You need to contact your hosting provider if they have any options available to filter the traffic in their systems. — Tero Kilkanen, May 13 '15 at 16:07
@Niky I conclude like the others you must contact your ISP to ask for a solution of DoS on cloud, Why? Because the attacker can increase the traffic to your 80 port when he wants, if your ISP is not an option answer here an We can try with snort — ravasquezgt, May 13 '15 at 16:12
@TeroKilkanen thanks, Tero: I guess I wasn't making that point clearly enough! — MadHatter, May 13 '15 at 16:13

score 6 · Accepted Answer · answered May 13 '15 at 16:18

As I and others are telling you above, blocking traffic with iptables doesn't prevent it from reaching your server; it only stops your server from processing it. If the sheer volume of traffic is saturating your server's connection, and causing you to lose connectivity to it, you have no choice but to work with your hosting provider, to have them filter out this traffic before it reaches the pipe (virtual or physical) to your server.

If your provider is unwilling or unable to do this, then you've just found a good reason to migrate to a better provider.

Block an IP for UDP

1 Answers1