0

we run a voice / teamspeak server which receives legitmate traffic on port 9987 from many ips. Sometimes we get DDoSed. So people use single Servers and send 1-3 Gbits of UDP Floods to that port. This intereferes with our application.

I would like to log and maybe block IPs that send incoming traffic over a certain threshold of bandwidth or packets per second for example.

Is there any solution using IPTables or other networking tools to block or at least log IPs that for example send more than 30 MBit/s of UDP traffic? We have a 10 GBit Nic so bandwidth is not the issue the application gets overwhelmed by the amount of invailid requests and starts lagging if we don't block it beforehand.

Kevin
  • 1
  • Related: http://serverfault.com/questions/531941/i-am-under-ddos-what-can-i-do – Deer Hunter Oct 17 '14 at 11:29
  • This is good general advice. We are looking for a very specific firewall config advice that would help detect and deflect abnormal incoming traffic automatically. – Kevin Oct 17 '14 at 11:34
  • udp traffic is tough to deal with since the source can easily be spoofed. they could send each new request from a different source IP. – Mike Oct 17 '14 at 13:29
  • 1
    You can rate limit per IP with the `recent` module or combine it with `tc` using marking to limit bandwith but the best solution is to host this at a company providing global DDOS mitigation in its datacenters. – Xavier Lucas Oct 17 '14 at 18:09

0 Answers0