HELP with UDP flooding

nick3dos · January 15, 2014, 8:49am

Can someone tell what i have to do to prevent UDP flooding in my router.

I search the wiki and found these roules:

add action=drop chain=forward disabled=no dst-address-list=udp_flooded
add action=drop chain=forward disabled=no src-address-list=udp_flooder
add action=jump chain=forward comment="UDP Flood Protection" connection-state=new 
add action=return chain=udp_flood disabled=no dst-limit=50,50,src-and-dst-addresse
add action=add-src-to-address-list address-list=udp_flooder address-list-timeout=1
add action=add-dst-to-address-list address-list=udp_flooded address-list-timeout=1

but it didnt work, new UDP connections keep comming to my router and everytime i have to manualy drop these ips.

Thanks.

nick3dos · January 15, 2014, 4:07pm

???

Lakis · January 15, 2014, 9:45pm

That does not mater if u drop them, traffic is still coming to ur router WAN port
best solution use Torch and see where the flood-traffic is directed “dst-address” and call your ISP

nick3dos · January 15, 2014, 9:50pm

Thanks for your answer.
My ISP cant help me.

At least i want to stop flood connections of that ips.
If i manually drop in firewall the ips that make the connections, in some point it is all ok.

But how can these ips be dynamic added to these firewall rules, without every time to do it manually?

Lakis · January 15, 2014, 10:09pm

First if flood is from many addresses one port drop that port
Is this ur everyday problem?
UDP flood form many addresses and many ports that sucks
if u are ISP and u have many real IPs find where flood-traffic is directed “dst-address” - (I edited this on my first post)

nick3dos · January 15, 2014, 10:27pm

I have 40 static ips in my metwork from my ISP.
In two of them i discovered this problem, two days now.
UDP flood are from different addresses and different ports.

redflag237 · January 22, 2014, 5:07pm

Why is this ruleset not working? What is running behind your router… Webserver?
In case of any Webservers, i would recommend you to simply touch the A-Record of your Domain and redirect to any DDos-Cloud-Service. This Service filters the bad traffic and only let the cleaned stuff pass to your real IP. Can recommend you Depulsio (www.depulsio.de), met this guys last year on ISD in Cologne.

But what i didn’t unterstand: is the problem that the ports is fully loaded (by this attack) or is the problem the target, that is being attacked?
If the target is your problem: What ports are being Attacked and wherefore they got opened. Maybe Reverse-Proxy them?

If your ISP Uplink is strong enough and doesn’t get fully loaded and even your Router is powerful enough… let the Traffic flow and just drop it by time. Maybe try other rate limits. What Piece of Hardware we’re talking about and which datarate on your WAN we’re talking about?