Results 1 to 19 of 19
  1. #1

    20Mbit DoS attack with UDP

    I have a problem since two days. I am facing a DoS attack on one of my IP's with 20Mbit of UDP Packets.

    These are the packets I receive:
    Code:
    16:19:26.949003 IP (tos 0x0, ttl  49, id 14236, offset 0, flags [DF], proto: UDP (17), length: 29) 222.90.73.53.33713 > foo.com.www: [udp sum ok] UDP, length 1
    My provider says they can't do anything. The only thing they could do is shut down my IP. Which is not really helpful. I have no idea what to do or what else I could analyze. It would be very interesting if the IP is being attacked or one of the sites I host.
    I have already over 300GB traffic since yesterday because of this.

  2. #2
    Join Date
    Jun 2002
    Posts
    1,376
    Are they all coming from the same IP?

  3. #3
    Join Date
    Feb 2004
    Location
    UK
    Posts
    1,429
    Hi

    If they are all coming from the same IP you could amend your firewall rule to drop all traffic from that one IP.

    Depending on your setup, you could use APF/BFD.

    http://rfxnetworks.com/proj.php

    or if your using Cpanel then CSF (which has a nice GUI)

    http://www.configserver.com/cp/csf.html

    Both have the ability to list IP's you want to DENY / DROP.

    Just be careful when installing, as you could lock yourself out. However both come with a saftey feature that will drop the firewall every 5 mins whilst testing.

    Hope that helps.

  4. #4
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,282
    even you ban the ip with software, it will still use bandwidth, only thing to do is have your provider block udp traffic to your server

  5. #5
    Join Date
    Feb 2004
    Location
    UK
    Posts
    1,429
    But if the traffic gets dropped then they will soon tire of attacking it.

  6. #6
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,282
    not necessary if the OP is not running any UDP service.

  7. #7
    the OP says they can't block the attack. They have tu much trafic to be able to analyze it.
    But they won't lock down my server.

    @ meyu: that's my problem. I have managed to drop all packets from the attack and the server is running fine, but I still have a lot of traffic (9gig/hour). Yesterday I noticed it dropped to about 7.5 Gig/hour. I have moved some of my sites to a different IP and I will change the IP soon and hope that the problem will be solved and the attacker doesn't follow to the new ip.


    LE:
    @ RelicHOST: there is nothing on earth that could convince me tu use CPanel. I use DTC as controlpannel and shorewall as firewall. Just added the ip to /etc/shorewall/blacklist and everything was fine.

  8. #8
    Join Date
    Nov 2007
    Location
    Earth
    Posts
    289
    @cris_lcx: if your provider can not help you block those traffic, there is no way for you to get rid of these traffic, even if you can block it with firewall or mod_evasive, the traffic still exist. Have you tried simple give the IP to your provider and ask them to block that IP? It's easier than asking them to analyze the traffic.

  9. #9
    How can a provider not be able to filter a attack, unless they are reselling, or something?

    Who is your provider?

  10. #10
    I will try to translate to english what my Provider wrote me:

    They have 2 ways of blocking an attack.

    1. They can block using the routerprotocoll (like BGP). This would be pretty simple but the disadvantage is that the can only block destination IP, which would be my IP.

    2. They let all the traffic trough a firewall but this would slow down the speed.

    A bit of background Information, they have about 20.000 Dedicated Servers and a 62Gbit connection. I can really understand their arguments.
    They promised nut to slow down my connection and I don't have problems when having to much traffic.

    I now changed the IP and blocked the old IP and the attack didn't follow. so everything is back to normal now.

  11. #11
    Join Date
    Jul 2002
    Posts
    66
    Quote Originally Posted by RelicHOST View Post
    Just be careful when installing, as you could lock yourself out. However both come with a saftey feature that will drop the firewall every 5 mins whilst testing.

    What should this setting be for a production firewall?

    I'm actually having trouble with CSF 3.10, the latest version as of today. My servers are going down since 2 days. We investigated everything from Maxclients in apache, to tuning mysql, to tuning postgres, to whatnot, to dropping a number of rules in mod_sec. Ultimately, it seems that all I have to do is stop CSF/LFD and the system hums along.

    What's the beef? I had synflood option enabled. Disabled that. I disabled everything like htaccess checking and whatnot. Still, restarting CSF would bring the servers down in minutes.

    I have now simply disabled CSF and the sites are running very fast.

    Any idea what's wrong with the latest version of CSF?
    Postgres: Database of the Year, 2008!
    http://www.postgresql.org/about/awards

  12. #12
    im running the latest csf on a few servers, and i have no issues like that....

  13. #13
    Join Date
    Feb 2008
    Location
    California
    Posts
    315
    Did you try contacting the network provider responsible for the attacking IP address?

  14. #14
    yes, no answer and probably the IP was spoofed.

  15. #15
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    I am not familiar with such large scale networking, but is it not possible to route the traffic from a specific IP to nowhere? Or just to route traffic destined for a specific IP to nowhere (as you previously mentioned)
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  16. #16
    the "from" is the problem. They can only work with the destination and if they block the destination (what they did now) My server isn't reachable anymore. But like I mentioned, I switched IP and the DoS atack didn't follow to the new ip.

  17. #17
    Join Date
    Feb 2003
    Location
    North Hollywood, CA
    Posts
    2,554
    They cant filter it via an ACL on the router?

    Ive barely been looking at DDoS attacks so yea...

    something like....
    access-list 100 deny icmp any any
    access-list 100 deny udp any any eq 22
    access-list 100 deny udp any any eq 80
    access-list 100 deny udp any any eq (and so on)
    access-list 100 permit udp any any

    Kinda newbie but yea...
    Remote Hands and Your Local Tech for the Los Angeles area.

    (310) 573-8050 - LinkedIn

  18. #18
    Quote Originally Posted by erick_p View Post
    What should this setting be for a production firewall?

    I'm actually having trouble with CSF 3.10, the latest version as of today. My servers are going down since 2 days. We investigated everything from Maxclients in apache, to tuning mysql, to tuning postgres, to whatnot, to dropping a number of rules in mod_sec. Ultimately, it seems that all I have to do is stop CSF/LFD and the system hums along.

    What's the beef? I had synflood option enabled. Disabled that. I disabled everything like htaccess checking and whatnot. Still, restarting CSF would bring the servers down in minutes.

    I have now simply disabled CSF and the sites are running very fast.

    Any idea what's wrong with the latest version of CSF?
    i've got that problem too, like everyday, my sever always gets offline. but it stopped going down when i uninstalled csf 3.10.

  19. #19
    Join Date
    Nov 2007
    Location
    Earth
    Posts
    289
    It's quite easy to block a source IP in router or switch. The problem is your provider would like to help you do it or not. I think there are three conditions:
    1. the provider is a reseller, they can't do it.
    2. they have too many machines. But in each subnet, the # of machines is small, so this condition is false.
    3. they don't want to do it...

    Anyway, no DoS anymore, congratulations.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •