Portal Home > Knowledgebase > Articles Database > Prevent UDP Flood with ConfigServer
Prevent UDP Flood with ConfigServer
| Posted by kshazad86, 08-29-2012, 04:35 AM |
| I recently got a UDP flood on a server:
How can I prevent this with ConfigServer Firewall?
|
| Posted by TravisT-[SSS], 08-29-2012, 06:45 AM |
| Get UDP ports blocked upstream. CSF right now is blocking the UDP flood by the looks of that message.
|
| Posted by kshazad86, 08-29-2012, 06:50 AM |
| You mean contact the datacenter? And which ports should I get blocked.
For the time being Iam using more strict settings in CSF for port scan, but it doesnt seem very effective especially when the udp connections are like every second.
Any ideas if I can rate limit udp connections with CSF?
|
| Posted by TravisT-[SSS], 08-29-2012, 06:51 AM |
| UDP floods need to be stopped upstream. They typical just max your pipe out so rate limiting is really pointless for UDP. So yea, contact your data center.
|
| Posted by kshazad86, 08-29-2012, 06:53 AM |
| The only problem with this is that the datacentre dont seem to know how to do this, this is their reply:
|
| Posted by TravisT-[SSS], 08-29-2012, 06:55 AM |
| Do you have anything that needs UDP on your server? If not they can just block every port.
|
| Posted by kshazad86, 08-29-2012, 06:58 AM |
| I'm not hugely familiar with knowing the difference between TCP and UDP, there are a handful of ports that are open using CSF that use UDP, but these same ports are also open TCP. How can I find out if anything is running on UDP?
|
| Posted by TravisT-[SSS], 08-29-2012, 07:01 AM |
| will tell you if you have any service running and listening on UDP.
|
| Posted by kshazad86, 08-29-2012, 07:02 AM |
| Gives this output:
|
| Posted by kshazad86, 08-29-2012, 09:45 AM |
| Does anyone know of any automated tools that I can use to prevent UDP floods?
|
| Posted by racknap1, 08-29-2012, 10:49 AM |
| Hi,
Try something like this (assumes the interface is eth0, if not change it)
iptables -I INPUT -p udp --dport 20200:20400 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p udp --dport 20200:20400-i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
|
| Posted by web-1, 08-30-2012, 12:53 PM |
| Is it effecting your server at all? Looks like the firewall is doing it's job.
Add the IP to your block list even though it's already saying "*UDP_IN Blocked*" which should have given you a clue in the first place.
Maybe the block list would make it block a little faster and use less CPU but I am sure by now your datacenter already blocked that IP to help solve your problem.
|
Add to Favourites 
Print this Article
Also Read
