one of our servers received udp floods yesterday. checking the logwatch report, we saw that we received more than 53,000 udp packets on a port scan profiling.

we have apf and it was successful in dropping the packets but it generated huge loads that no connect attempts by us was completed.

how do we stop udp/tcp port scans?

Did you check what the source was? How many IPs? What port?

the attack came from multiple sources with the largest one generating about 32,000 udp packets. ports ranged from 2 to 65533.

we have already emailed the isps of the logged ips.

NIDS can help you. I perfer the snortsam.

portsentry can be configured to detect and block udp floods.

thanks for the reply.

we were trying to work on installing snort as we already have apf but we couldn't find any updated installation and configuration instructions for the latest snort.

the best one we could find was the one posted on the ev1servers forums but the how-to was last updated 11/2003.

know of any that works with cpanel?

okay, we finally got snort to install and it's running well. we then activated apf's antidos feature and, presto! , the denied hosts file started filling up with sites from korea, china, etc. snort also logged several sites that were triggering the rules.

next stop - mod_dosevasive.