Automagically Blocking UDP Flooders

I recently noticed a constant stream of UDP DNS requests directed @ my machine. I contacted the administrators of the netblock & they informed me that the packets are spoofed, and that there is a DDoS directed at that IP address. So I stopped sending responses.

I am interested in blocking people who flood me with DNS requests automatically to limit my machine's efficacy in being part of such an attack. PF seems to provide me a means to do this with TCP connections but not UDP; is there any way I can achieve this? I understand the security implications of doing so but want to do it anyway. :stud
 
Pf could do the trick.

Have a look in the pf.conf man page on these stateful tracking options: max, source-track rule, max-src-nodes, max-src-conn-rate, overload and flush global.

Hope it helps
 
The overload option doesn't seem to be available for UDP connections. max-src-states almost does what I want, but I would prefer to permanently ignore these hosts.
 
Oh well. I'm blocking the address that appears to be flooding me. And max-src-states slows it down nicely, so hopefully people won't abuse my machine for such things in future.
 
That's right; only max, source-track rule, max-src-nodes and max-src-states could be used for udp connections.

But as some of your ports are open, you might want to add some tcp rules as well.
 
ctaranotte said:
But as some of your ports are open, you might want to add some tcp rules as well.

And you know about the state of my TCP ports how? :q

aragon said:
Automatically blocking can become a denial of service attack in itself used against you too.

It's just a DNS service. There is an secondary nameserver people can talk to if they/the entire world were blocked. Though I could probably do well to avoid filling my memory with a long list of spoofed host addresses, so I'll live with the current solution, thanks. :)
 
Back
Top