# Automagically Blocking UDP Flooders



## beastyforums (Jan 25, 2009)

I recently noticed a constant stream of UDP DNS requests directed @ my machine. I contacted the administrators of the netblock & they informed me that the packets are spoofed, and that there is a DDoS directed at that IP address. So I stopped sending responses.

I am interested in blocking people who flood me with DNS requests automatically to limit my machine's efficacy in being part of such an attack. PF seems to provide me a means to do this with TCP connections but not UDP; is there any way I can achieve this? I understand the security implications of doing so but want to do it anyway. :stud


----------



## ctaranotte (Jan 25, 2009)

Pf could do the trick.

Have a look in the pf.conf man page on these stateful tracking options: max, source-track rule, max-src-nodes, max-src-conn-rate, overload and flush global.

Hope it helps


----------



## beastyforums (Jan 25, 2009)

The overload option doesn't seem to be available for UDP connections. max-src-states almost does what I want, but I would prefer to permanently ignore these hosts.


----------



## beastyforums (Jan 25, 2009)

Oh well. I'm blocking the address that appears to be flooding me. And max-src-states slows it down nicely, so hopefully people won't abuse my machine for such things in future.


----------



## ctaranotte (Jan 25, 2009)

That's right; only max, source-track rule, max-src-nodes and max-src-states could be used for udp connections.

But as some of your ports are open, you might want to add some tcp rules as well.


----------



## aragon (Jan 25, 2009)

Automatically blocking can become a denial of service attack in itself used against you too.


----------



## beastyforums (Jan 26, 2009)

ctaranotte said:
			
		

> But as some of your ports are open, you might want to add some tcp rules as well.



And you know about the state of my TCP ports how? :q



			
				aragon said:
			
		

> Automatically blocking can become a denial of service attack in itself used against you too.



It's just a DNS service. There is an secondary nameserver people can talk to if they/the entire world were blocked. Though I could probably do well to avoid filling my memory with a long list of spoofed host addresses, so I'll live with the current solution, thanks.


----------



## ctaranotte (Jan 26, 2009)

beastyforums said:
			
		

> And you know about the state of my TCP ports how? :q



Relax, I assumed that you might have other services on your box such as Apache, ftpd or sshd.


----------



## beastyforums (Jan 27, 2009)

ctaranotte said:
			
		

> Relax, I assumed that you might have other services on your box such as Apache, ftpd or sshd.



Wasn't freaking out, just curiouis.  But yes, you assume correctly...


----------

