Results 1 to 12 of 12

Thread: UDP DDoS

  1. #1

    Arrow UDP DDoS

    Hi there,

    I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server, it's currently crippling Apache, but only on port 80, https (443) is fine. I've told iptables it drop UDP packets sent to port 80 and have also completely blocked most of the attacking IPs, this has helped, but the webserver is still periodically unresponsive.

    Does anybody have any suggestions?

    Thanks in advance.

  2. #2
    Join Date
    Apr 2003
    Location
    San Jose, CA.
    Posts
    1,624
    Quote Originally Posted by Orbixx View Post
    I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server
    I'm a little curious why your webserver listens to UDP traffic.
    Daved @ Lightwave Networking, LLC.
    AS1426 https:/www.lightwave.net
    Primary Bandwidth: EGIHosting (NLayer, NTT, HE, Cogent)
    Xen PV VPS Hosting

  3. #3
    It doesn't. It's just UDP traffic coming in aimed at port 80.

  4. #4
    Join Date
    Apr 2003
    Location
    San Jose, CA.
    Posts
    1,624
    Do you understand why little of what you said makes any sense?

  5. #5
    No, I don't see anything wrong with somebody sending a UDP packet destined for port 80 on my server. Sure Apache isn't listening for UDP packets as http is TCP based only, but the packets I am getting are UDP and they are trying to hit port 80.

    What's so ridiculous about that?

  6. #6
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,212
    what kind of firewall are you useing?, do you have acccess to your router?
    is the attack directed to your main IP address?
    or is it an IP alias ?

  7. #7
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,699
    Quote Originally Posted by Orbixx View Post
    Hi there,

    I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server, it's currently crippling Apache, but only on port 80, https (443) is fine. I've told iptables it drop UDP packets sent to port 80 and have also completely blocked most of the attacking IPs, this has helped, but the webserver is still periodically unresponsive.

    Does anybody have any suggestions?

    Thanks in advance.
    Try requesting an ACL from your provider, so the traffic is blocked before it gets to you.

    It doesn't make much sense why the attack would affect Apache on TCP port 80 and not 443. Are you certain it's not affecting both?
    ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
    AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  8. #8
    Quote Originally Posted by hhw View Post
    Try requesting an ACL from your provider, so the traffic is blocked before it gets to you.

    It doesn't make much sense why the attack would affect Apache on TCP port 80 and not 443. Are you certain it's not affecting both?
    At a guess, it might be the relative efficiency of iptables at distinguishing ports versus some other factor. In other words, it may be further down the food chain before it gets dealt with by dropping. In the meantime, it chews up resources until it gets to that rule.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  9. #9
    Join Date
    Feb 2008
    Location
    California
    Posts
    315
    Does your provider offer any sort of DDoS mitigation at the network level? If so, ask them to enable it.

    Short of that, as hhw suggested, as your provider to block UDP (or specifically UDP port 80 if that's all that's hitting you) traffic via an ACL. Keep in mind that some services typically run over UDP (such as name service), so if you require those services to be running make sure your provider carves out exceptions to the ACL.
    Take 2 Hosting, Inc. - Hosting Done Right
    Fully automated setup - new servers in as little as 10 minutes
    http://www.take2hosting.com/

  10. #10
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    If you're not a DDoS risk any really only receive an occasional attack you might just look for a provider that has a managed firewall appliance (eg. Netscreen) so you can set your own rules on the network and block the traffic you don't need.

  11. #11
    Join Date
    Apr 2003
    Location
    San Jose, CA.
    Posts
    1,624
    Quote Originally Posted by Orbixx View Post
    No, I don't see anything wrong with somebody sending a UDP packet destined for port 80 on my server. Sure Apache isn't listening for UDP packets as http is TCP based only, but the packets I am getting are UDP and they are trying to hit port 80.

    What's so ridiculous about that?
    Ok... So, someone is sending you UDP packets to port80, and you think that's slowing down Apache, specifically on port 80.

    Apache isn't processing UDP data, so saying Apache is running slow on port 80 but fine on port 443 doesn't make sense or shows some unrelated problem.

    You've added a rule to your firewall saying drop all UDP data for port 80. What is it going to do with that data without that rule? Drop it. (Blocking it after it's already reached your box is pointless).

  12. #12
    Join Date
    May 2008
    Posts
    340
    Can you paste the output of the following commands so that we can see the requests coming in on port 80 ?

    netstat -plant | grep httpd
    tcpdump -vv -i eth0 udp

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •