Help formatting iptables (or script) against a UDP flood attack
by Rirre from LinuxQuestions.org on (#6HZVK)
Hi,
I have been a target of DoS/UDP flood attacks (from spoofed IPs) for at least a year now (very persistent Turkish citizen) which doesn't overwhelm the network, but it makes the service on that port he is attacking unavailable. I have given up on blocking the length as he always finds another way to do it.
I have analyzed the packets via tcpdump and I got an idea how to stop it. I believe it already exist, I just don't know what to look for. Otherwise I need help to make it possible via iptables, Python, or any other script.
When the server is receiving packets, it never sends a response back to the attacker. Only receive. Since the server only receive packets from this IP, I would like to block the IP.
For example:
This is how it looks like during an attack via tcpdump:
Code:00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
...
16:59:50.044807 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
...
16:07:09.618772 IP attacker.ip.60954 > server.ip.27017: UDP, length 27
16:07:09.618985 IP attacker.ip.60911 > server.ip.27017: UDP, length 9
16:07:09.618986 IP attacker.ip.60911 > server.ip.27017: UDP, length 27
16:07:09.619117 IP server.ip.27017 > legit.client.ip.27005: UDP, length 510
16:07:09.619319 IP attacker.ip.60915 > server.ip.27017: UDP, length 9
16:07:09.619320 IP attacker.ip.60915 > server.ip.27017: UDP, length 27
16:07:09.619430 IP attacker.ip.60930 > server.ip.27017: UDP, length 9
16:07:09.619431 IP attacker.ip.60930 > server.ip.27017: UDP, length 27
16:07:09.619431 IP attacker.ip.60914 > server.ip.27017: UDP, length 9
16:07:09.619431 IP attacker.ip.60914 > server.ip.27017: UDP, length 27
16:07:09.619431 IP attacker.ip.60931 > server.ip.27017: UDP, length 9
16:07:09.619587 IP attacker.ip.60931 > server.ip.27017: UDP, length 27
16:07:09.619745 IP attacker.ip.60934 > server.ip.27017: UDP, length 9
16:07:09.619745 IP attacker.ip.60934 > server.ip.27017: UDP, length 27
16:07:09.619811 IP attacker.ip.60935 > server.ip.27017: UDP, length 9
16:07:09.619811 IP attacker.ip.60935 > server.ip.27017: UDP, length 27
16:07:09.620082 IP attacker.ip.60956 > server.ip.27017: UDP, length 9
16:07:09.620083 IP attacker.ip.60956 > server.ip.27017: UDP, length 27
16:07:09.620346 IP attacker.ip.60937 > server.ip.27017: UDP, length 9
16:07:09.620394 IP attacker.ip.60918 > server.ip.27017: UDP, length 9
16:07:09.620394 IP attacker.ip.60918 > server.ip.27017: UDP, length 27
16:07:09.620394 IP attacker.ip.60937 > server.ip.27017: UDP, length 27
16:07:09.620695 IP attacker.ip.60919 > server.ip.27017: UDP, length 9
16:07:09.620695 IP attacker.ip.60919 > server.ip.27017: UDP, length 27
16:07:09.620696 IP attacker.ip.60959 > server.ip.27017: UDP, length 9
16:07:09.620696 IP attacker.ip.60959 > server.ip.27017: UDP, length 27
16:07:09.620779 IP attacker.ip.60960 > server.ip.27017: UDP, length 9
16:07:09.620779 IP attacker.ip.60960 > server.ip.27017: UDP, length 27
16:07:09.620801 IP legit.client.ip.27005 > server.ip.27017: UDP, length 31
16:07:09.620855 IP attacker.ip.60961 > server.ip.27017: UDP, length 9
16:07:09.620856 IP attacker.ip.60961 > server.ip.27017: UDP, length 27
16:07:09.621194 IP attacker.ip.60968 > server.ip.27017: UDP, length 9
...With legit traffic connected to the service port it looks like this (receive <-> send):
Code:00:53:56.633496 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.659680 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.661719 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.690934 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.694027 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.722953 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.727744 IP server.ip.27017 > legit.client.ip.30151: UDP, length 1046
...Appreciate any help I can get.
I have been a target of DoS/UDP flood attacks (from spoofed IPs) for at least a year now (very persistent Turkish citizen) which doesn't overwhelm the network, but it makes the service on that port he is attacking unavailable. I have given up on blocking the length as he always finds another way to do it.
I have analyzed the packets via tcpdump and I got an idea how to stop it. I believe it already exist, I just don't know what to look for. Otherwise I need help to make it possible via iptables, Python, or any other script.
When the server is receiving packets, it never sends a response back to the attacker. Only receive. Since the server only receive packets from this IP, I would like to block the IP.
For example:
This is how it looks like during an attack via tcpdump:
Code:00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
00:41:12.076843 IP 34.91.83.47.59099 > server.ip.27017: UDP, length 31
...
16:59:50.044807 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
16:59:50.044821 IP 34.90.117.188.40293 > server.ip.27017: UDP, length 251
...
16:07:09.618772 IP attacker.ip.60954 > server.ip.27017: UDP, length 27
16:07:09.618985 IP attacker.ip.60911 > server.ip.27017: UDP, length 9
16:07:09.618986 IP attacker.ip.60911 > server.ip.27017: UDP, length 27
16:07:09.619117 IP server.ip.27017 > legit.client.ip.27005: UDP, length 510
16:07:09.619319 IP attacker.ip.60915 > server.ip.27017: UDP, length 9
16:07:09.619320 IP attacker.ip.60915 > server.ip.27017: UDP, length 27
16:07:09.619430 IP attacker.ip.60930 > server.ip.27017: UDP, length 9
16:07:09.619431 IP attacker.ip.60930 > server.ip.27017: UDP, length 27
16:07:09.619431 IP attacker.ip.60914 > server.ip.27017: UDP, length 9
16:07:09.619431 IP attacker.ip.60914 > server.ip.27017: UDP, length 27
16:07:09.619431 IP attacker.ip.60931 > server.ip.27017: UDP, length 9
16:07:09.619587 IP attacker.ip.60931 > server.ip.27017: UDP, length 27
16:07:09.619745 IP attacker.ip.60934 > server.ip.27017: UDP, length 9
16:07:09.619745 IP attacker.ip.60934 > server.ip.27017: UDP, length 27
16:07:09.619811 IP attacker.ip.60935 > server.ip.27017: UDP, length 9
16:07:09.619811 IP attacker.ip.60935 > server.ip.27017: UDP, length 27
16:07:09.620082 IP attacker.ip.60956 > server.ip.27017: UDP, length 9
16:07:09.620083 IP attacker.ip.60956 > server.ip.27017: UDP, length 27
16:07:09.620346 IP attacker.ip.60937 > server.ip.27017: UDP, length 9
16:07:09.620394 IP attacker.ip.60918 > server.ip.27017: UDP, length 9
16:07:09.620394 IP attacker.ip.60918 > server.ip.27017: UDP, length 27
16:07:09.620394 IP attacker.ip.60937 > server.ip.27017: UDP, length 27
16:07:09.620695 IP attacker.ip.60919 > server.ip.27017: UDP, length 9
16:07:09.620695 IP attacker.ip.60919 > server.ip.27017: UDP, length 27
16:07:09.620696 IP attacker.ip.60959 > server.ip.27017: UDP, length 9
16:07:09.620696 IP attacker.ip.60959 > server.ip.27017: UDP, length 27
16:07:09.620779 IP attacker.ip.60960 > server.ip.27017: UDP, length 9
16:07:09.620779 IP attacker.ip.60960 > server.ip.27017: UDP, length 27
16:07:09.620801 IP legit.client.ip.27005 > server.ip.27017: UDP, length 31
16:07:09.620855 IP attacker.ip.60961 > server.ip.27017: UDP, length 9
16:07:09.620856 IP attacker.ip.60961 > server.ip.27017: UDP, length 27
16:07:09.621194 IP attacker.ip.60968 > server.ip.27017: UDP, length 9
...With legit traffic connected to the service port it looks like this (receive <-> send):
Code:00:53:56.633496 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.659680 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.661719 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.690934 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.694027 IP server.ip.27017 > legit.client.ip.30151: UDP, length 16
00:53:56.722953 IP legit.client.ip.30151 > server.ip.27017: UDP, length 16
00:53:56.727744 IP server.ip.27017 > legit.client.ip.30151: UDP, length 1046
...Appreciate any help I can get.