2

My server is currently under DDOS attack with nearly 500k UDP packets per second.

UDP is blocked in iptables but the processor is still overloaded.

Any way to block UDP on a lower level to not pass the packet through all iptables chains/modules but drop it even before?

Vilial
  • 23
  • 4

1 Answers1

4

The earliest possible point of dropping packets is the iptables raw table, as shown in the diagram in https://unix.stackexchange.com/questions/243079/netfilter-iptables-why-not-using-the-raw-table

You can drop packets there in the PREROUTING chain like this:

iptables -t raw -A PREROUTING -p udp -j DROP

However, with this approach you are also dropping DNS responses for the requests initiated by your server, since processing of the raw table occurs before connection tracking takes place.

You can add allowed UDP hosts like this:

iptables -t raw -A PREROUTING -p udp -s !nnn.nnn.nnn.nnn -j DROP

where nnn.nnn.nnn.nnn is the IP address of the host where you want to receive UDP traffic with.

There can also be other consequences when disabling UDP traffic before connection tracking, depending on the server.

Community
  • 1
Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • 1
    Yeah I know about DNS responses and things like that - not an issue. I tried dropping in the PREROUTING but it was the "nat" table so it gave an error. "raw" seems to work fine though! And looks like the processor is holding now! Thanks man! – Vilial Feb 12 '17 at 11:29