News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: udp flood
Pages: [1]
Topic: udp flood  (Read 2810 times)
« on: April 13, 2011, 21:14:38 »
woger *
Posts: 4
Hi there,
I have a monowall guarding a few servers on the web. Lately I am having problems with udp floods killing my network. It suddenly goes unreachable and after it comes back up I see hundreds of udp connections to my servers from an external IP address. I then block this IP immediatly, but later it comes from an other IP. Is there a way to completely stop these attacks in monowall?

Thanks,
Roger
« Reply #1 on: April 13, 2011, 22:13:33 »
Fred Grayson *****
Posts: 994
There isn't anything you can do in m0n0wall or other firewall device on your border to stop this. If the volume of the packets is such that all your bandwidth is being used, then it doesn't even matter if you filter the packets or not - they still arrive on your border and still come thru your pipe.

If it's an ongoing problem, you'll have to get your upstream provider involved. If it's predictable enough and they can filter it out before it is sent on to you, you should be OK.
--
Google is your friend and Bob's your uncle.
« Reply #2 on: April 13, 2011, 23:04:33 »
brushedmoss ****
Posts: 446
Is this a pipe filler attack ? If you successfully block it, then I assume not.  Monowall should block unsolicited udp, unless you have this port open for a reason ?
« Reply #3 on: April 14, 2011, 21:26:21 »
woger *
Posts: 4
I don't have explicit pipes set up. I tried a little bit with traffic shaping but I can't get it to work.
most of the attacks are in the high port range (>50000) so I block all udp traffic above port 10000 now. As far as I know this will not intervent with any normal services. I think only ftp use higher ports and only tcp.
« Reply #4 on: April 14, 2011, 22:21:06 »
Fred Grayson *****
Posts: 994
'pipe' in this context is the capacity of your external link, not the pipe or pipes in the m0n0wall traffic shaper.

Again, if this attack is consuming all the available bandwidth of your external link, it makes no difference whether you filter the packets out or not - they still arrive at your firewall and they still overwhelm your link.

On the other hand, if all the external bandwidth is not being consumed, then filtering and not logging the offending packets will serve to keep your filter log from being rotated so fast as to be rendered useless.

The place to effectively act on attacks like this is upstream at your service provider, not locally.

Good luck.
--
Google is your friend and Bob's your uncle.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines