3

What are good programming practices in regards to blocking DoS attacks on a UDP client/server? The only thing that comes to mind at the moment is ignoring packets with the wrong sources, as such (using WinSock2):

if (oSourceAddr.sa_family == AF_INET) {
    uSourceAddr = inet_addr(oSourceAddr.sa_data);

    if (uSourceAddr == oCorrectDestAddr.sin_addr.S_un.S_addr) {
        queueBuffer.push(std::string(aBuffer));
    }
}

Attacks that are fast enough might cause this to block in a loop - especially if the packet size is small. Is there a way I can prevent packets from arriving from a certain source, or any source besides the correct one? What other things should I look out for? An explanation in code form would be especially helpful if the solutions are already built into the API.

NmdMystery
  • 2,778
  • 3
  • 32
  • 60

1 Answers1

6

Is there a way I can prevent packets from arriving from a certain source, or any source besides the correct one?

Yes. Just connect() the socket to that correct source. Then UDP will filter out all datagrams from other addresses. See man 2 connect, the paragraph about SOCK_DGRAM sockets.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • @downvoter Please explain. Possibly you need to read *man 2 connect* to acquaint yourself with the less familiar aspects of the BSD sockets API. – user207421 Oct 30 '13 at 06:23
  • I just want to put it on the record that I'm not the one downvoting, don't know who that is. – NmdMystery Oct 30 '13 at 06:33
  • Anyway I thought connect was only TCP? That function seems to be absent from every UDP tutorial I've looked at, but I'll give it a go. It's late right now, though, I'll come back to this tomorrow. – NmdMystery Oct 30 '13 at 06:34
  • So from what I gather, bind is used to set the address of the host machine running the program to the socket (IE "127.0.0.1" and the chosen port), and connect is used to set the machine receiving the datagrams? – NmdMystery Oct 30 '13 at 21:44