Prevent UDP flood DOS (outgoing!)

[dragon2611]

What would be considered the normal Packet Per Second rate for traffic originating from a cpanel server to a specific single destination IP (end user)

Recently had a script uploaded via a CMS exploit that was DOS'ing people with a UDP flood.

I've since removed the script and also disabled the offending CMS so that the user can upload a clean copy and also ensure it's patched. but I'd like to try and take some measures to prevent such a thing occurring the future

I'd also like to take some additional measures that minimise the impact should anyone else manage to do something similar, one of the things I was thinking of doing was limiting the UDP packetflow per destination

I was thinking anything over X PPS gets dropped at the firewall before it even egresses my network but i'm not entirely sure what a resonable number for X should be.

 

[ne0shell]

You can try to limit the outbound flow rate of UDP packets:

/sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -j DROP

(setting limits outbound UDP to 100 packets per second. This setting can interfere with applications which use UDP outbound traffic (if any))

1000 per second would be a fairly high setting - more than enough for legit use, 100 is probably fine too. You can always adjust it if needed.

 

[dragon2611]

You can try to limit the outbound flow rate of UDP packets:

/sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -j DROP

(setting limits outbound UDP to 100 packets per second. This setting can interfere with applications which use UDP outbound traffic (if any))

1000 per second would be a fairly high setting - more than enough for legit use, 100 is probably fine too. You can always adjust it if needed.

Currently testing 100Packets per second per destination with a temporary burst of 500PPS allowed.

Although I do have the capability to firewall on the Cpanel box I actually do the majority of the filtering prior to egress from my (albeit virtual) network.

Hoping to get a 2nd physical box shortly in which case i'll probably actually buy a proper router but for a single server with relatively low traffic a Vitalized router works fine.

Using a vitalized instance of RouterOS which handles my routed subnet and also does the filtering between the physical NIC and the VM's running on the server

 

[radeonpower]

I recommend the csf firewall and cXs exploit scanner from configserver.com.

 

[dragon2611]

I recommend the csf firewall and cXs exploit scanner from configserver.com.

I have the firewall, as I tend to use the LFD component from it, although I prefer to set the bulk of my firewall rules on routerOS firewall as It's easier to manage.

 

[crazyaboutlinux]

i have updated outbound traffic limit to 50 but still getting flood attack

how to find this

an apache script exploit, most commonly log.php, which is actually a
remote udp flood script.

 

[Infopro]

This might come in handy for you: ConfigServer eXploit Scanner (cxs)