1

i want prevent udp flooding so i think if i drop all udps that don't come from the internal network and not relate to a udp connection i can prevent udp flooding. in the other word if only udps that come from internal network and also udps that come from external network but isn't the first and relate to a udp connection accept and others drop the udp flooding not occur and i think this iptable code that i write can work

# accept any packet that's a response to anything we sent
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p udp -s 8.8.8.0/24 -j ACCEPT

iptables -A INPUT -p udp -j DROP

8.8.8.0/24 is the address of my internal network. do you think is it true? my code is true?

tarane
  • 11
  • 1
  • 2
  • "_...and relate to a udp connection accept..._" UDP is specifically connectionless, so there is no such thing as a UDP connection. – Ron Maupin Jul 26 '17 at 14:35

1 Answers1

2

You won't accomplish much even if your iptables statements were correct.

UDP is stateless. This means that I can send arbitrary & large UDP packets to your server. These packets will be DROPped by the kernel if there is no process listening on the destination UDP port. The traffic has still crossed the internet and hit your modem/demarc.

The only thing you will be able to prevent with UDP dropping is to prevent the flooding of ports associated with a running service. EG: I can craft large DNS packets and send them via UDP you your DNS server's port. The server will presumably ACCEPT those packets and attempt to process them. It is this processing that blocking MIGHT help.

You are going to have a bad time if you try to block arbitrary UDP packets. DHCP, DNS, RPC, NFS, NTP, etc... A ton of important network protocols run over UDP. These will need to be allowed.

I suggest you take another look at your network. IF you are having a problem with UDP flooding, you can look at addressing the exact cause and then possible solutions.

If you are being flooded with large UDP packets that are filling your upstream bandwidth look at getting more bandwidth or DDoS protection.

If some application is misbehaving because of the flood, consider fixing the application, using a better one, or getting crazy with some kind of layer 7 firewall to pre-screen packets.

Finally, if you just think blocking UDP flooding is a good idea because....? ...? It's probably not. It will likely break more than it solves unless you have a specific UDP flood issue.

Daniel Widrick
  • 3,488
  • 2
  • 13
  • 27