1

Basically

I am receiving a lot of packets/data with random info on UDP protocol. Packet has header and then a lot of XXXXXXX in it's content.

I assume it is UDP flood but it comes from different web/dedi hosting companies. Also this basically uses up all of download speed. Upload speed stays 0-1kb/s

Is there a way to fight this?

Thanks

  • 1
    Without a snippet from a packet capture or more information, there's really not much we can help you with. If it's consuming your downlink bandwidth, even blocking the traffic at the host firewall won't help. You'll most likely need to work with your hosting company or their upstream ISP to get the traffic blocked at that level. – EEAA Jun 28 '10 at 02:22
  • ISP doesn't wanna work with me at all. They say they can change IP only. ISP: Verizon; Serice: Fios 25/25 –  Jun 28 '10 at 02:26
  • Is this a residential or business account with Verizon? – EEAA Jun 28 '10 at 02:28
  • Residential... I beleive business one doesnt offer 25/25 I need the highes upload speed for under 100$ a month –  Jun 28 '10 at 02:41
  • In that case, this will likely get migrated over to superuser. I don't blame Verizon for not wanting to assist with this on a residential account. If you want business-class support, pay for business-class service. – EEAA Jun 28 '10 at 03:10
  • Can't you firewall or block this kind of stuff at the router level? Something like "drop everything that I didn't request" – TheLQ Jun 28 '10 at 04:21
  • 3
    @ErikA: this puts any ISP into a very bad light, because if they refuse to deal with DDoS attacks against residential clients this makes them accessories. This is a situation that can't be dealt by the user itself and it needs to be brought upstream. Refusing to help due to lack of business-class service is plain blackmail. – halp Aug 09 '10 at 09:32
  • @TheLQ: No you can't. By the time the DDos has already reached your perimeter firewall or router it's too late; it has already saturated your incoming connection. Blocking it from that point down, doesn't do anything to effect the amount of traffic coming in. It needs to be blocked somewhere further upstream by the ISP. –  May 16 '11 at 02:58

2 Answers2

2

Doesn't matter if you have any UDP services running, even if you drop every UDP-packet in example iptables your RX buffer (that is, your incoming network link) will be saturated.

Try it yourself with a simple udp flood script and monitor the RX/TX buffer with iftop.

You simply have to contact your ISP to block them higher up in the chain. Either that or get a fatter line which has more capacity than the attacks.

lazlo
  • 21
  • 2
0

Not much that can be done to identify the traffic without some packet traces. Note that you can't trust the source of UDP packets in any way, so they might come from a single host even if the source address is random.

If you don't have a fixed IP the easy solution is to change your mac address, then take a new DHCP lease. That way you will get a new IP address and the traffic will be dropped in a router somewhere until an unlucky guy gets your old IP. Hopefully the one creating the traffic will have stopped by then.

You should also make sure that 1: The UDP traffic is not legit and part of some protocol your system is speaking, such as DHT 2: That it really eats up all your bandwidth. A few hundreds of pps is not enough to fill your line. Without the right tools (Wireshark is a good start) estimating how much bandwidth is being used is hard.

pehrs
  • 8,749
  • 29
  • 46