Knowledgebase
Hetzner and the UDP Flood
Posted by Fizzadar, 09-12-2011, 11:36 AM | Twice this week we've had new clients signup and later run UDP floods. When Hetzner's routers detect this, they physically disconnect the node:
15:17:09.560004 IP 178.63.172.207 > 68.33.95.143: udp
15:17:09.560129 IP 178.63.172.207 > 68.33.95.143: udp
15:17:09.560251 IP 178.63.172.207.38788 > 68.33.95.143.29400: UDP, length 9216
15:17:09.560374 IP 178.63.172.207 > 68.33.95.143: udp
15:17:09.560497 IP 178.63.172.207.45054 > 68.33.95.143.16411: UDP, length 9216
15:17:09.560621 IP 178.63.172.207.45052 > 68.33.95.143.57187: UDP, length 9216
15:17:09.560747 IP 178.63.172.207 > 68.33.95.143: udp
+ (lots of similar lines)
I reached out to Hetzner, asking if they had any ideas on how I could track/prevent this at a node level, but with no effect. Does anyone have any ideas? I've already limited the rate of UDP packets on the nodes too 500/s (burst 1000). But a more robust solution would be perfect.
And of course it needs to work on OpenVZ. Any help is greatly appreciated!
|
Posted by quantumphysics, 09-12-2011, 11:45 AM | consider filtering your client base better - or not advertising on digitalpoint
|
Posted by Fizzadar, 09-12-2011, 11:48 AM | Thanks
Of course we keep tabs on new signups, but sometimes (in this case) it's impossible to tell. All the details checked out and MaxMind flagged the other with a score of 1.
There's always going to be some that get through, I'm looking for a hard-set way to block the attacks before they can cause any problem.
|
Posted by quantumphysics, 09-12-2011, 11:52 AM | are you sure it's them signing up to attack and not from a very quick compromise?
have you considered dropping udp traffic completely until requested because in general web hosting doesn't particularly need it ?
|
Posted by Fizzadar, 09-12-2011, 11:54 AM | Well, in this case they've been with us for a month now. I may well just block all UDP traffic until requested as you said, since it would definitely resolve the issue
|
|
Add to Favourites
Print this Article |
Also Read