So I'm trying to figure something out, if I receive UDP traffic to my server from another server I can't really block it, like the iptables it's just blocking the traffic to being processed, but I want to stop it reaching the interface, is there any method that you can stop an IP sending traffic to a server like not receiving it?
Asked
Active
Viewed 68 times
-5
-
Why do you want to do this? – MadHatter Mar 04 '18 at 10:57
-
1Please edit your title to tell at least something about your problem. This is not a tabloid newspaper website. – Esa Jokinen Mar 04 '18 at 11:29
-
I have no problems, it's just a question, stop being salty. – Curean Nicușor Mar 04 '18 at 16:48
-
And I want to do this to stop an IP from flooding the bandwidth of a server without extra hardware. – Curean Nicușor Mar 04 '18 at 16:50
-
Well, you can't. – MadHatter Mar 07 '18 at 10:52
2 Answers
2
If you want to stop traffic from going over a network link, you have to block it somewhere upstream of the link. If you want to stop traffic from reaching a host, you have to block it somewhere upstream of the host.
If you have a device somewhere upstream of the place you want the traffic not to get and you can configure that device to block the traffic, then you can prevent the traffic from consuming the resources you are trying to protect. Otherwise, you can't.
Firewalls built into a host are good for security because they can prevent the host from processing traffic regardless of how that traffic tries to get to the host. But they're not particularly good at protecting attacks from saturating network links because the traffic gets all the way to the host, consuming resources as it travels.
However, if it's your server replying to the attack that's hurting you (because it's consuming server CPU or network bandwidth on the outbound side), then it doesn't matter where you block the attack traffic.
David Schwartz
- 31,215
- 2
- 53
- 82
1
In any system, you must have some way to identify the traffic being blocked. Yes, you can stop traffic from reaching any number of interfaces by blocking it at an "upstream interface" - this is usually done with a firewall. However, this upstream firewall must receive this undesirable traffic in some way in order to know to block it.
This is one of the primary reasons that network border devices are also firewalls.
Spooler
- 7,016
- 16
- 29
-
I don't have a firewall I just want to block the traffic without extra hardware. – Curean Nicușor Mar 04 '18 at 16:48
-
1Then I can't help you, because it sounds like you have no inkling as to how to implement this, and this question is super-off-topic as it is. Read up on the networking concepts you're concerned with throughly on your own before coming to others for help regarding problems that don't exist yet. – Spooler Mar 04 '18 at 20:02