07-25-2012, 06:20 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2012
Location: Compton
Posts: 30
|
|
Block unwarranted UDP w/ ACL rules?
Is it possible to block all unwarranted UDP traffic with Access Control List rules on an upstream router?
I know someone who runs an OpenVPN server and he has a special list of rules he requests hosts to implement that completely stops UDP floods, but he can still connect to UDP services such as Xbox LIVE.
Can someone share some insight on how this might be possible?
He was taught by someone years ago and won't tell anyone.
These are the things he has told me:
He has port redirection. (Not sure if that is even possible and what effect it would have.)
He blocks UDP entirely. (Not possible for him to connect to Xbox LIVE service if he did as it requires UDP on port 88 and 3074)
That I'm a "kracker" and he has the best VPN on the internet. (He said that right before DDoSing me once, lol.)
If someone could please help me I'd really appreciate it.
|
07-25-2012, 06:25 PM
|
|
Poooooonnyyy :*
|
|
Join Date: Jan 2003
Location: Canada
Posts: 3,896
|
|
The host has to be willing to tank the flood.
Someone has to eat the bandwidth so if you're getting 2Gbit+ floods like most booters do these days, then your host has to be willing to filter that constantly for whatever they're going to charge for an ACL.
Francisco
__________________
BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
|
07-25-2012, 06:30 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2012
Location: Compton
Posts: 30
|
|
Quote:
Originally Posted by DeltaAnime
The host has to be willing to tank the flood.
Someone has to eat the bandwidth so if you're getting 2Gbit+ floods like most booters do these days, then your host has to be willing to filter that constantly for whatever they're going to charge for an ACL.
Francisco
|
Well I know a few hosts that will do it, but I'm not sure of what rules to request.
I can request to block all UDP traffic except the ports that I need, but if those ports get flooded I go down.
I'm wondering what kind of rule I'd need to request to block unwarranted UDP traffic.
E.x. I connect to a host, initiating an allowed connection.
E.x. A bunch of hosts start sending UDP packets(flooding) and all connections are dropped because I didn't connect to them first.
|
07-25-2012, 06:32 PM
|
|
Poooooonnyyy :*
|
|
Join Date: Jan 2003
Location: Canada
Posts: 3,896
|
|
Quote:
Originally Posted by _0xE2
Well I know a few hosts that will do it, but I'm not sure of what rules to request.
I can request to block all UDP traffic except the ports that I need, but if those ports get flooded I go down.
I'm wondering what kind of rule I'd need to request to block unwarranted UDP traffic.
E.x. I connect to a host, initiating an allowed connection.
E.x. A bunch of hosts start sending UDP packets(flooding) and all connections are dropped because I didn't connect to them first.
|
Research I guess 
We have a user that does something along these lines and has a half dozen+ rules in place. He draws quite a bit of fire at his box but hasn't caused any issues to date.
ACL's of doom
Francisco
__________________
BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
|
07-25-2012, 06:35 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2012
Location: Compton
Posts: 30
|
|
Quote:
Originally Posted by DeltaAnime
Research I guess
We have a user that does something along these lines and has a half dozen+ rules in place. He draws quite a bit of fire at his box but hasn't caused any issues to date.
ACL's of doom
Francisco |
Possibly block all ports I don't need to use, and rate limit the ones I do need with a burst limit and blacklist for bad hosts?
Seems like it might work.
|
07-25-2012, 06:36 PM
|
|
Poooooonnyyy :*
|
|
Join Date: Jan 2003
Location: Canada
Posts: 3,896
|
|
Quote:
Originally Posted by _0xE2
Possibly block all ports I don't need to use, and rate limit the ones I do need with a burst limit and blacklist for bad hosts?
Seems like it might work.
|
I can't say anything on this fellows setup, but what I can say is that blacklists are pointless since you can forge packets.
Francisco
__________________
BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
|
07-25-2012, 06:40 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2012
Location: Compton
Posts: 30
|
|
Quote:
Originally Posted by DeltaAnime
I can't say anything on this fellows setup, but what I can say is that blacklists are pointless since you can forge packets.
Francisco
|
What type of machine would I need to test ACL rules?
I can setup a VM and do some local testing.
|
07-25-2012, 06:42 PM
|
|
Poooooonnyyy :*
|
|
Join Date: Jan 2003
Location: Canada
Posts: 3,896
|
|
Quote:
Originally Posted by _0xE2
What type of machine would I need to test ACL rules?
I can setup a VM and do some local testing.
|
It isn't just a machine, ACL's are normally done at edge routers.
No host is going to be OK with you tanking a multi gbit flood on a single box unless you got very deep pockets to pay for the line 
Francisco
__________________
BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
|
07-25-2012, 06:48 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2012
Location: Compton
Posts: 30
|
|
Quote:
Originally Posted by DeltaAnime
It isn't just a machine, ACL's are normally done at edge routers.
No host is going to be OK with you tanking a multi gbit flood on a single box unless you got very deep pockets to pay for the line
Francisco |
Well I know that, I just would like to setup a couple VM's.
One VM would probably be a router and another would be an attack machine.
I'm going to figure something out, time for a lot of reading. XD
Thank You
|
07-25-2012, 09:29 PM
|
|
Web Hosting Master
|
|
Join Date: Jun 2004
Location: Oregon
Posts: 1,143
|
|
Tell your provide what you want, and they will come up the rules to put on.
__________________
CNSERVERS.COM Portland, Oregon since 2005
Fully DDoS Protected BGP Network - Hardware Based Automatic Network and Application Level Protection
IP Transit / Colocation / Dedicated Server / Remote DDoS Protection via GRE Tunnel & Reverse Proxy
Last edited by CNSERVERS; 07-25-2012 at 09:34 PM.
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
