Since you're running a web server, a far more effective (and far more common) DDoS strategy would be to use TCP connections on open ports, exhausting system resources without having to locally used as much upstream bandwidth as they're consuming of your downstream.Ĭan you look into what port they're sending data to? That may really shed some light on this issue. More to the point, the "attack" traffic looks to be fragmented UDP packets of exactly 8192 bytes - that strikes me as some kind of file transfer. The source of the traffic seems to be a legitimate data center 64.37.60.212 is these guys (I'm assuming that those PTR records are legit, here - confirm that the source IP matches the PTR records), and they have a very clear policy about abusive traffic posted if nothing else, you can contact their abuse address. I continue to be unconvinced that this is a DoS at all (and it's clearly not a DDoS, as pointed out) they're certainly exhausting your inbound bandwidth, but it may not be intentional or malicious. UDP is a stateless protocol blocking all traffic would block, for instance, inbound replies to DNS requests made by your server. From your other questions, it's clear that bandwidth is your concern so, discarding the request once it's already hit your server will do you no good especially since your current configuration is likely already discarding the packets immediately.Īnd if I can block all UDP traffic, would this cause any problems in linux? I dont know for sure that the -w option will work after piping through grep, as -w is used to write 'raw. Quote: tcpdump -i eth1 -nnaexs 0 tcp port 80 grep -e http -w /pcaps/tcpdump.out. Would this be effective against UDP ddos attacks?ĭepends what the DDoS is hitting. If you arent writing to the file, as you intend, try the '-w,' option, followed by the directory and file you want to write to. Sure - but it will likely not do you any good.
Can I block all incoming UDP traffic via iptables?
0 kommentar(er)
