• Advertisement
Sign in to follow this  

combating udp flood attacks

This topic is 912 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

This is a theoretical question that I have wondered about, so I have no actual code to show here.

 

Say I have a game server that is accepting client packets at a publicly known port. What is a common method to handle a client trying to DOS the server by flooding it with udp packets?

 

1. There is a portable way to block communication with a specific IP at the operating system level. I don't know if this atually exists, but it would probably be the most effective solution.

 

2. Close the known socket and reopen it on another port. While this prevents the rogue packets from reaching the appliation, the operating system still has to handle the packets before it can decide to drop them.

I guess this is cheaper than to drop them at the application level, but it still puts some strain on the system.

Also, the server still has to announce the new port eventually and the attack could continue there.

 

Did someone here deal with this before?

Share this post


Link to post
Share on other sites
Advertisement

This will not make any difference. Even if you instantly drop all packets from a set of IP's in the kernel's network stack (with iptables or whatever) the packets are still flowing through your network pipe connecting you to the rest of the internet, degrading quality of service (which is the "denial of service" part). Nothing you do locally will prevent that, the DOS attack does not even have to target the port your application is using, the DOS attack is done on a server, not on an individual application.

 

As I understand it the common technique to mitigate DOS attacks these days is to put your servers behind load-balancers with an absolutely colossal bandwidth that cannot (easily) be flooded enough to prevent legitimate users from passing through, and having these load-balancers do the filtering work in response to incoming traffic as needed, e.g. cloudflare. You generally rent those as a service.

 

If that is overkill for you, then I think just using operating system tools (again, like iptables) will do nicely for your usecase if you just need to stop a client from connecting every now and then. It's transparent to your application and you can write scripts to automate the process. For instance with iptables:

$ iptables -A INPUT -s 1.2.3.4 -j DROP

and your application will never hear of 1.2.3.4 again (remember to remove the rule eventually, because the IP could have gotten reused, and processing rules takes nonzero time, and because perma-banning IP's is generally bad form anyway).

Edited by Bacterius

Share this post


Link to post
Share on other sites

Interesting, I have heard of iptables in a typical web setup before but somehow didn't make the connetion to it being used on a game server. Need to jot down.

But basically this means it's only worthwhile to prepare for these kinds of attacks if you have a large production running and can afford the costs.

Share this post


Link to post
Share on other sites

Thanks guys, really great responses.

What about a single person that tries to disturb your service from a typical home line? Would such an event even register if you have enough bandwidth and your server isn't written in a completely dumb way, like forwarding malicious packets deep inside your game before they are discarded?

Share this post


Link to post
Share on other sites

I've dealt with denial of service attacks in multiple occasions and the only surefire way to fight them is with a firewall upstream from you that can absorb a much higher rate of traffic than you ever could receive on your servers. I've used services such as X4B and OVH, and these work by giving you a public and private ip address. You establish an IPIP or GRE tunnel to the private ip and then you bind all your daemons to a lan ip on the inside of your tunnel e.g. 10.0.0.1. You then point all your DNS records at the public ip provided by the anti ddos service. The reason you bind to a lan ip is so that if your server configuration leaks the IP it's bound to, e.g. a bad apache configuration or such then only that lan ip is leaked and not your real server ip that you want to protect.

 

You configure an allow list of udp and tcp ports, and anything not on your allow list is immediately considered malicious and dropped at the ddos service. 

 

In the event of a ddos all bad traffic is absorbed by the service.

You usually only pay for your valid traffic which is passed along the tunnel on a pay as you go basis.

 

These services often have more available bandwidth than you could ever need or see and protect some of the biggest sites on the internet.

They can even do reverse proxies for http speeding up your Web services too.

Hope this helps!

Edited by braindigitalis

Share this post


Link to post
Share on other sites

What about a single person that tries to disturb your service from a typical home line?

 

Well, if they are paying for Google Fiber with a gigabit symmetric throughput, and you're serving on AT&T DSL with 10 Mbit down and 3 Mbit up, then you will fall over.

If the situation is the reverse, then you probably won't have any problems, as long as your incoming-packet and early-bad-packet-rejection handling is competently implemented.

Share this post


Link to post
Share on other sites

used services such as [...] OVH
I didn't even know OVH did this! In my memory, they are an ultra-lowcost ultra-unreliable ultra-bad-quality hosting/colo provider.

 

Now it looks like they are offering something considerably more expensive which however seems to be vastly superior to what you get in a lot of other, similarly prized, places.

 

When did that change? And does it work as well as advertized?

Share this post


Link to post
Share on other sites

When did that change? And does it work as well as advertized?

 

I haven't used OVH for this but I know others who have and they swear by it. It works well for them. Personally I've used X4B and they worked well (other admins on my irc net use OVH, so I've kind of used them by proxy). While I was using X4B, it absorbed a multi gigabit ddos attack. You have to adjust your server settings though to make sure the tunnel stays up and functional at all times as if it goes down and doesn't reconnect you obviously lose all connectivity for clients... 

Edited by braindigitalis

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement