I recently noticed a constant stream of UDP DNS requests directed @ my machine. I contacted the administrators of the netblock & they informed me that the packets are spoofed, and that there is a DDoS directed at that IP address. So I stopped sending responses.

I am interested in blocking people who flood me with DNS requests automatically to limit my machine's efficacy in being part of such an attack. PF seems to provide me a means to do this with TCP connections but not UDP; is there any way I can achieve this? I understand the security implications of doing so but want to do it anyway. :stud

Pf could do the trick.

Have a look in the pf.conf man page on these stateful tracking options: max, source-track rule, max-src-nodes, max-src-conn-rate, overload and flush global.

Hope it helps

The overload option doesn't seem to be available for UDP connections. max-src-states almost does what I want, but I would prefer to permanently ignore these hosts.

Oh well. I'm blocking the address that appears to be flooding me. And max-src-states slows it down nicely, so hopefully people won't abuse my machine for such things in future.

That's right; only max, source-track rule, max-src-nodes and max-src-states could be used for udp connections.

But as some of your ports are open, you might want to add some tcp rules as well.

Automatically blocking can become a denial of service attack in itself used against you too.

But as some of your ports are open, you might want to add some tcp rules as well.

And you know about the state of my TCP ports how? :q

Automatically blocking can become a denial of service attack in itself used against you too.

It's just a DNS service. There is an secondary nameserver people can talk to if they/the entire world were blocked. Though I could probably do well to avoid filling my memory with a long list of spoofed host addresses, so I'll live with the current solution, thanks. :)

And you know about the state of my TCP ports how? :q


Relax, I assumed that you might have other services on your box such as Apache, ftpd or sshd.

Relax, I assumed that you might have other services on your box such as Apache, ftpd or sshd.

Wasn't freaking out, just curiouis. :) But yes, you assume correctly...