The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Prevent UDP flood DOS (outgoing!)

Discussion in 'Security' started by dragon2611, Jun 4, 2010.

  1. dragon2611

    dragon2611 Well-Known Member

    Joined:
    Nov 30, 2003
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    What would be considered the normal Packet Per Second rate for traffic originating from a cpanel server to a specific single destination IP (end user)

    Recently had a script uploaded via a CMS exploit that was DOS'ing people with a UDP flood.

    I've since removed the script and also disabled the offending CMS so that the user can upload a clean copy and also ensure it's patched. but I'd like to try and take some measures to prevent such a thing occurring the future

    I'd also like to take some additional measures that minimise the impact should anyone else manage to do something similar, one of the things I was thinking of doing was limiting the UDP packetflow per destination

    I was thinking anything over X PPS gets dropped at the firewall before it even egresses my network but i'm not entirely sure what a resonable number for X should be.
     
  2. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    You can try to limit the outbound flow rate of UDP packets:

    /sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp -j DROP

    (setting limits outbound UDP to 100 packets per second. This setting can interfere with applications which use UDP outbound traffic (if any))

    1000 per second would be a fairly high setting - more than enough for legit use, 100 is probably fine too. You can always adjust it if needed.
     
  3. dragon2611

    dragon2611 Well-Known Member

    Joined:
    Nov 30, 2003
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Currently testing 100Packets per second per destination with a temporary burst of 500PPS allowed.

    Although I do have the capability to firewall on the Cpanel box I actually do the majority of the filtering prior to egress from my (albeit virtual) network.

    Hoping to get a 2nd physical box shortly in which case i'll probably actually buy a proper router but for a single server with relatively low traffic a Vitalized router works fine.

    Using a vitalized instance of RouterOS which handles my routed subnet and also does the filtering between the physical NIC and the VM's running on the server
     
  4. radeonpower

    radeonpower Well-Known Member

    Joined:
    Jul 23, 2009
    Messages:
    129
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I recommend the csf firewall and cXs exploit scanner from configserver.com.
     
    #4 radeonpower, Jun 9, 2010
    Last edited: Jun 9, 2010
  5. dragon2611

    dragon2611 Well-Known Member

    Joined:
    Nov 30, 2003
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    I have the firewall, as I tend to use the LFD component from it, although I prefer to set the bulk of my firewall rules on routerOS firewall as It's easier to manage.
     
  6. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    i have updated outbound traffic limit to 50 but still getting flood attack

    how to find this

    an apache script exploit, most commonly log.php, which is actually a
    remote udp flood script.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page