# Filtering UDP packet with certain length



## zulus (Mar 12, 2013)

Hello, 

Is there a way to filter UDP packets with certain length with FreeBSD (PF or IPFW)? I'm suffering from a UDP flood with packets with 0 or 1 length.


----------



## SirDice (Mar 12, 2013)

What version of FreeBSD?


----------



## zulus (Mar 12, 2013)

FreeBSD 9.1


----------



## SirDice (Mar 12, 2013)

Just block all incoming connections.


----------



## zulus (Mar 12, 2013)

*T*hat server is the gateway to other services w*h*ich are DDoS-flooded.  im tryin I'm trying to protect them.


----------



## kpa (Mar 12, 2013)

Are you aware that by blocking all incoming connections except the ones specifically allowed you'll be already doing the most you can do about DDOS attacks yourself?

If that does not help you'll have to contact your connection provider for assistance.


----------



## zulus (Mar 12, 2013)

That  is not a solution which fit for my case. That is why I ask for help with firewall but looks like FreeBSD is not helpful in that case.


----------



## kpa (Mar 12, 2013)

Look, if the packets are reaching your firewall there is nothing else to do but drop them if you don't want to let them trough. Stop thinking that there is some magical "DDOS protection" that can be implemented with a firewall, such thing does not exist.


----------



## zulus (Mar 12, 2013)

Well I'm trying to drop particular type of packets UDP with Length 0  which  are DDosing one of my internal servers .. my upstream is fat enough to handle the DDOS like 10G.

So I think you get my point, right?


----------



## Anonymous (Mar 13, 2013)

You might want to try something like the following:

`# ipfw add 1 deny udp from any to any iplen 20,21 via [color="DarkOrange"]EXTIF[/color] in`

Notes:

This assumes that ipfw(8)() is up and running.

Replace EXTIF by the actual external interface name.

The iplen parameters include the IP header length. If there are no optional fields, then the IHL is 20 bytes, and so this rule would block UDP packets coming in via the external interface having 20 bytes IHL and zero or 1 byte of data. If there are optional fields in the DDoS packets, then you have to tweek the numbers a little bit.


----------



## zulus (Mar 13, 2013)

Thanks, *I* will try that and let you know*.*


----------



## zulus (Mar 18, 2013)

Thanks, that worked perfectly.


----------

