5

I am building a service, which will use UDP. It will run on Amazon AWS - in the firewall they provide, I can block everything except that one UDP port my service will run.

The only thing I'm concerned about is receiving a massive spam of UDP packets from random spoofed IP addresses on that particular UDP port. If a pool of these spoofed IP addresses would be limited then all of them could be blacklisted on a 3rd party firewall. But if every packet can have random 32-bit IP address, then I can't think of a way to recognize it from a legitimate packet.

Is there even way to defend against such attack?

techraf
  • 9,141
  • 11
  • 44
  • 62
John Lock
  • 93
  • 4
  • 2
    You can't, besides having more bandwitdh than the attacker. In this case, what you can do is have the server detect malicious packets and then use Amazon's API (hopefully they have one for this) to block the origin IP of that packet so it gets blocked on Amazon's side before it reaches your server and exhausts your (limited) bandwidth. – André Borie Jun 03 '16 at 23:52
  • 1
    But how to detect malicious packets if each one is from random IP? I was thinking that, maybe there is firewall service, that have server, constantly analysing if IP address is legitimate(succed triple communication round) and adding it to white list. And in case of DDoS attack, it would allow only these IP addresses from white list pass, so only new users would have problems, but old users could communicate without problems. – John Lock Jun 04 '16 at 00:10
  • Sometimes bad guys win – Neil Smithline Jun 04 '16 at 03:24
  • 2
    "Is there even way to defend against such attack?" ... yes. But most options involve you having control over your infrastructure. Which you don't with the "magic cloud" ! – Little Code Jun 04 '16 at 15:24
  • This is a great question. This absolutely involves working with your ISP (or in your case, the cloud service provider) to track the source and ask the originating ISP to stop doing this (or block that ISP from reaching your equipment). A firewall inside your network cannot help with Bandwidth exhaustion, but perhaps AWS firewall is outside of your bandwidth throttle, in which case that can help. I'm interested to see answer(s) from folks who have battled such an attack before. – 700 Software Aug 03 '16 at 13:54

2 Answers2

2

Are you absolutely bound to UDP; TCP fixes IP spoofing attacks.

IPSEC? If every packet is from a pre-determined trusted device you could add authentication-header to validate it.

CGretski
  • 151
  • 6
1

DDoS attacks' goal is to exhaust some of your resources (bandwidth, CPU, RAM, disk, ...). They are usually of two kind:

  • exploit a vulnerability on your server (or backend) which impact a resource with a small effort (ressource wise) on the attacker side. Sloworis is such an example. The solution is usually a fix from the vendor.
  • exploit the fact that you have limited bandwidth compared to the attacker. The solution, when it works, is to use an intermediate (CloudFlare, Akamai, ...) who will magically clean the traffic before it reaches you. Magically = proprietary solution which may work or not. In any case when such surge of traffic reaches you, it is too late to protect yourself - the packets must be dealt with upstream from you.

In your case this is likely the case #2.

If you have a DoS from a single IP you can deal with it at the firewall level by dropping its traffic. This is usually a very primitive attack, though.

WoJ
  • 8,957
  • 2
  • 32
  • 51