Knowledgebase

Hetzner and the UDP Flood

Posted by Fizzadar, 09-12-2011, 11:36 AM
Twice this week we've had new clients signup and later run UDP floods. When Hetzner's routers detect this, they physically disconnect the node: 15:17:09.560004 IP 178.63.172.207 > 68.33.95.143: udp 15:17:09.560129 IP 178.63.172.207 > 68.33.95.143: udp 15:17:09.560251 IP 178.63.172.207.38788 > 68.33.95.143.29400: UDP, length 9216 15:17:09.560374 IP 178.63.172.207 > 68.33.95.143: udp 15:17:09.560497 IP 178.63.172.207.45054 > 68.33.95.143.16411: UDP, length 9216 15:17:09.560621 IP 178.63.172.207.45052 > 68.33.95.143.57187: UDP, length 9216 15:17:09.560747 IP 178.63.172.207 > 68.33.95.143: udp + (lots of similar lines) I reached out to Hetzner, asking if they had any ideas on how I could track/prevent this at a node level, but with no effect. Does anyone have any ideas? I've already limited the rate of UDP packets on the nodes too 500/s (burst 1000). But a more robust solution would be perfect. And of course it needs to work on OpenVZ. Any help is greatly appreciated!
Posted by quantumphysics, 09-12-2011, 11:45 AM
consider filtering your client base better - or not advertising on digitalpoint
Posted by Fizzadar, 09-12-2011, 11:48 AM
Thanks Of course we keep tabs on new signups, but sometimes (in this case) it's impossible to tell. All the details checked out and MaxMind flagged the other with a score of 1. There's always going to be some that get through, I'm looking for a hard-set way to block the attacks before they can cause any problem.
Posted by quantumphysics, 09-12-2011, 11:52 AM
are you sure it's them signing up to attack and not from a very quick compromise? have you considered dropping udp traffic completely until requested because in general web hosting doesn't particularly need it ?
Posted by Fizzadar, 09-12-2011, 11:54 AM
Well, in this case they've been with us for a month now. I may well just block all UDP traffic until requested as you said, since it would definitely resolve the issue


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
cogent down in dallas? (Views: 636)
Found a Free VPS Provider (Views: 581)
CSF Block IP Range Help (Views: 612)
I'd like to start a reseller hosting [split thread] (Views: 643)
Xen S e c u r i t y (Views: 609)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.