Prevent UDP flood DOS (outgoing!)

dragon2611

Well-Known Member
Nov 30, 2003
124
0
166
What would be considered the normal Packet Per Second rate for traffic originating from a cpanel server to a specific single destination IP (end user)

Recently had a script uploaded via a CMS exploit that was DOS'ing people with a UDP flood.

I've since removed the script and also disabled the offending CMS so that the user can upload a clean copy and also ensure it's patched. but I'd like to try and take some measures to prevent such a thing occurring the future

I'd also like to take some additional measures that minimise the impact should anyone else manage to do something similar, one of the things I was thinking of doing was limiting the UDP packetflow per destination

I was thinking anything over X PPS gets dropped at the firewall before it even egresses my network but i'm not entirely sure what a resonable number for X should be.
 

ne0shell

Well-Known Member
Oct 9, 2003
58
0
156
You can try to limit the outbound flow rate of UDP packets:

/sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -j DROP

(setting limits outbound UDP to 100 packets per second. This setting can interfere with applications which use UDP outbound traffic (if any))

1000 per second would be a fairly high setting - more than enough for legit use, 100 is probably fine too. You can always adjust it if needed.
 

dragon2611

Well-Known Member
Nov 30, 2003
124
0
166
You can try to limit the outbound flow rate of UDP packets:

/sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -j DROP

(setting limits outbound UDP to 100 packets per second. This setting can interfere with applications which use UDP outbound traffic (if any))

1000 per second would be a fairly high setting - more than enough for legit use, 100 is probably fine too. You can always adjust it if needed.
Currently testing 100Packets per second per destination with a temporary burst of 500PPS allowed.

Although I do have the capability to firewall on the Cpanel box I actually do the majority of the filtering prior to egress from my (albeit virtual) network.

Hoping to get a 2nd physical box shortly in which case i'll probably actually buy a proper router but for a single server with relatively low traffic a Vitalized router works fine.

Using a vitalized instance of RouterOS which handles my routed subnet and also does the filtering between the physical NIC and the VM's running on the server
 

dragon2611

Well-Known Member
Nov 30, 2003
124
0
166
I recommend the csf firewall and cXs exploit scanner from configserver.com.
I have the firewall, as I tend to use the LFD component from it, although I prefer to set the bulk of my firewall rules on routerOS firewall as It's easier to manage.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
i have updated outbound traffic limit to 50 but still getting flood attack

how to find this

an apache script exploit, most commonly log.php, which is actually a
remote udp flood script.