1

I need to defend against receiving a massive spam of UDP packets from random spoofed IP addresses. I would make it this way:

In my protocol, every UDP packet contains username and password. Firewall(3rd party) would have updatable list of users(name and password). It would check if packet contains valid data, if yes then it would pass it to my server, if not, then my bandwidth would be not affected.

My question is, do you know any service that would allow such solution?

John Lock
  • 93
  • 4
  • The credentials in the UDP packets should be protected in some way. Never sent that information in clear text. – user2320464 Jun 11 '16 at 00:23
  • I think this is just a simple way of limiting access to non-sensitive material. – Julie Pelletier Jun 11 '16 at 00:27
  • @JuliePelletier Right. It's additional and non sensitive, only for protection purposes. There are other credentials but they are in the encrypted form. – John Lock Jun 11 '16 at 01:58
  • 1
    offloading credential checking would require significant infrastructure as you're asking it to decrypt the credentials specific to your app and check them against an approved list. This process should be handled in your app. Thus leaving udp ddos mitigation which has already been discussed here: http://security.stackexchange.com/questions/91548/how-to-mitigate-udp-flood-attacks – user2320464 Jun 11 '16 at 04:24
  • A distributed **UDP Bandwidth Exhaustion** attack cannot be remedied on your side of the router. You could use a 'secret' to prevent an algorithmic DoS, but blocking packets at your perimeter does _nothing_ to reduce the bandwidth cost you've already paid. – Jeff K Feb 24 '17 at 20:43

1 Answers1

1

Whether you use one, two or a dozen servers to handle the task, the bandwidth between the client(s) and the server(s) will remain the same. The only part you can control is the way your server responds to invalid requests or to massive amounts of requests.

One way it could be implemented is by using fail2ban and a firewall on the server. This way your UDP service could log risky cases that would eventually trigger fail2ban rules that you'd have to define. It would be a good idea to quickly block repeating requests for the same IP and increase ban time when they become recidivists.

It is very important for you to note that this type of attack is usually targeting the spoofed IP, not the UDP service itself which only suffers a much weaker side-effect when properly secured.

UDP requests are usually much smaller than their response, and handling big requests would also make it harder to perpetrate an efficient attack.

Julie Pelletier
  • 1,919
  • 10
  • 18
  • my question was not about that, but ok... thanks for information about this system(fail2ban), but my udp service is simple and i have full control on it. Firstly, firewall can exclude everything except that one particular UDP port. Because every UDP packet contains credentials - if its wrong - server will not respond to it. If it's valid(and valid user will start spam), then anyway there is rate limit on different operations built in to server. eventually user can be deleted. Simple and good. You can see now that bandwidth exhaustion is my only problem – John Lock Jun 11 '16 at 02:19
  • question is about "DDoS mitigation service" who have their own firewalls and big bandwidth and can do filters in way specified in my post – John Lock Jun 11 '16 at 02:24
  • What I tried to present to you is that only the output bandwidth can be controlled and that a firewall is a lock, it does not control its rules, it applies them and doing any authentication from it would be difficult to implement and perform very poorly. That would actually make your firewall much more at risk from attacks as it could be much easier to overload. – Julie Pelletier Jun 11 '16 at 02:29