Block an IP for UDP

linux ubuntu iptables udp

7,315

As I and others are telling you above, blocking traffic with iptables doesn't prevent it from reaching your server; it only stops your server from processing it. If the sheer volume of traffic is saturating your server's connection, and causing you to lose connectivity to it, you have no choice but to work with your hosting provider, to have them filter out this traffic before it reaches the pipe (virtual or physical) to your server.

If your provider is unwilling or unable to do this, then you've just found a good reason to migrate to a better provider.

7,315

Niky

Updated on September 18, 2022

Comments

Niky over 1 year
I am under UDP flood attack. I used following protections to solve it:

iptable IP ban:
```
iptables -I INPUT -s 37.187.231.xxx -j DROP
```
Tried another iptable syntax
```
/sbin/iptables -I INPUT -i eth0 -s 37.187.231.xxx -j DROP
```
Tried to limit the UDP packets:
```
iptables -A INPUT -p udp -m udp --dport 0:65535 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 --name UDP --rsource -j DROP 
```
Completely disabled UDP packets:
```
iptables -A INPUT -p udp -j DROP
```
All the ports are closed. Below is the output of - netstat -an | grep "udp"
```
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp6       0      0 ::1:53                  :::*
```
I have following software installed:
```
Ubuntu 14.04
UFW Firewall
i7 processor with 16GB Ram
```
Only port 80 is opened.

I am still being attacked by UDP flood. "sudo iftop -n" command shows heavy MBs input traffic from the IPs I have already blocked using IP tables. Maybe iptables did not block the IPs? If yes then how can I fix it?
- Niky about 9 years
  
  Good question. I am not expert but that is my assumption. sudo iftop -n shows heavy MBs traffic from the IPs that I have already banned using iptables. So that person is still sending loads of traffic on my server? Is there a better way to block an IP permanently?
- Vamsi M about 9 years
  
  Hi, IPTables will be an stressful solution because you must block one by one the IP addresses attackers, but the attacker can change his IP address as much as he can, Do you accept another option for a solution?
- Niky about 9 years
  
  I have kimsufi server. They do not provide any help or support :( I am by my own. The person who is dosing my server is openly saying it :) He comes and says "now server is going down ta ta". Then traffic increases and server become irresponsive.
- MadHatter about 9 years
  
  I don't think you're quite getting my point. In all likelihood, you are blocking the traffic. But that doesn't stop people from sending it to you; that is not something you can achieve from where you are. You will need to work with your hosting provider to get them to stop passing the traffic to you, if it's overwhelming your connection.
- Niky about 9 years
  
  @ravasquezgt Thanks for your message. The attacker is only using 10 IPs and I do not mind blocking his new IPs but at least it should work. I am open to any solution as long as I can overcome this problem.
- Tero Kilkanen about 9 years
  
  It doesn't help if you block the IPs on your own server, because the traffic floods up the connection between your server and the Internet. You need to contact your hosting provider if they have any options available to filter the traffic in their systems.
- Vamsi M about 9 years
  
  @Niky I conclude like the others you must contact your ISP to ask for a solution of DoS on cloud, Why? Because the attacker can increase the traffic to your 80 port when he wants, if your ISP is not an option answer here an We can try with snort
- MadHatter about 9 years
  
  @TeroKilkanen thanks, Tero: I guess I wasn't making that point clearly enough!