cent os 7 hashlimit

is there any possible method to response with udp reset on every ip's first udp request on cent os 7 with hashlimit to block UDP spoofing ?
FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
I'd approach it another way, if you want to go the hashlimit way, why not limit the rate of the udp packets arriving and drop the ones that are going over the limit...? And do this for all NEW packets, something like this:
iptables -I INPUT -m hashlimit -m udp -p udp --dport 53 --hashlimit-above 200/sec --hashlimit-mode srcip --hashlimit-name udplimit -m state --state NEW -j DROP

Open in new window


The port 53 is an example here of course ... You can also add "–hashlimit-burst 245" and "–hashlimit-srcmask 32" (numbers are an example) to fine tune.

That would at least help in somewhat mitigating an attack no?

You could also, instead of dropping the packets just log them, or do that to first see the effect of the rule maybe.
FireBallITAuthor Commented:
we are getting an attack from spoofed source with 200.000 + ip address per second any ip does not hit the second time.

So sending back reset sign on every first connection of each ip the correct solution
gheistCommented:
UDP has no feedback chain. You can send various destination unreachable messages in hope originating host reacts on them.
There is no way to tell UDP to slow down. Plain dropping them as close to origin as possible is the only way.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

FireBallITAuthor Commented:
dear gheist  ;

We are working on public internet so we can not find the orign in spoof udp but we realize that any spoof ip does not hit second time on many of the attacks. So we decide the block the first request of each ip with reset icmp .

Is there any way of this ?
gheistCommented:
There is NO SUCH ICMP MESSAGE

By sending anything to spoofed (i.e that you are 100% sure it was not the host who sent it) origin you are just DoS-ing yourself and some innocent on the internet.
FireBallITAuthor Commented:
ok so does it make sense to drop the first packet only from each ip's request ?
Is there any possibility of doing this ?

we are gettig hundreds of attack types. And we are effecting just some of them forget about the origin of the attack pleas.
Zephyr ICTCloud ArchitectCommented:
I stand by my solution above, UDP is stateless, there is no target based binding, hence you drop the packets or reject them. But even if you did this valuable resources of your system will be used to react on these many, many packets and in sense use up your bandwidth.

normally you would handle these things with your edge routers, you'd configure these routers to not allow IP-directed-broadcast transmissions (on Cisco routers, this is called "no ip directed-broadcast" interface command) for example.

You might also into other security appliances or use something like pfsense as an IDS/pre-fw in between the Internet and your servers to react on certain attacks and filter this traffic.

Also take a look at this paper from Cisco.
gheistCommented:
UDP does not have SYN packet top drop. Each packet is a new state.
FireBallITAuthor Commented:
yes gheist i know it but as far as haslimits follow the connection limits it should count the packet count from an ip i just want to drop first packet

Dear spravtek we are a public datacenter who use ip addresses from ripe with 40Gbps bandwith
our all network is covered by 10G links. We are not looking for an internal solution our UDP stream servers getting udp attacks and SRX 3K is not enough to solve it it applies only threshold limits. And we need sth. like anomaly detector or spoofed atttacks uses millions of different ip which never hits second time. The only way to drop first packet to stop it
gheistCommented:
Trying to make state off UDP is quite pointless as it has no state.
you can fill conntrack easily on e.g. DNS server with default iptables configuration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.