Automagically Blocking UDP Flooders

B

beastyforums

I recently noticed a constant stream of UDP DNS requests directed @ my machine. I contacted the administrators of the netblock & they informed me that the packets are spoofed, and that there is a DDoS directed at that IP address. So I stopped sending responses.

I am interested in blocking people who flood me with DNS requests automatically to limit my machine's efficacy in being part of such an attack. PF seems to provide me a means to do this with TCP connections but not UDP; is there any way I can achieve this? I understand the security implications of doing so but want to do it anyway. :stud
 
Pf could do the trick.

Have a look in the pf.conf man page on these stateful tracking options: max, source-track rule, max-src-nodes, max-src-conn-rate, overload and flush global.

Hope it helps
 
The overload option doesn't seem to be available for UDP connections. max-src-states almost does what I want, but I would prefer to permanently ignore these hosts.
 
Oh well. I'm blocking the address that appears to be flooding me. And max-src-states slows it down nicely, so hopefully people won't abuse my machine for such things in future.
 
That's right; only max, source-track rule, max-src-nodes and max-src-states could be used for udp connections.

But as some of your ports are open, you might want to add some tcp rules as well.
 
ctaranotte said:
But as some of your ports are open, you might want to add some tcp rules as well.
Click to expand...

And you know about the state of my TCP ports how? :q

aragon said:
Automatically blocking can become a denial of service attack in itself used against you too.
Click to expand...

It's just a DNS service. There is an secondary nameserver people can talk to if they/the entire world were blocked. Though I could probably do well to avoid filling my memory with a long list of spoofed host addresses, so I'll live with the current solution, thanks. :)
 
You must log in or register to reply here.
Back
Top