Home page logo

basics logo Security Basics mailing list archives

Re: Udp Flood
From: Fernando Gont <fernando () gont com ar>
Date: Thu, 20 Nov 2003 01:39:13 -0300

At 23:04 04/11/2003 +0000, you wrote:

I've tried and tested UDP Flood 2 Foundstone to simulate some attack suffered by my network.Is there any way to block an udp flood directed to a Red Hat DNS Server?

Bandwidth-consuming attacks must be filtered at the upstream router.
The problem is that sender IP address can easily be spoofed. In that case, the only thing that would help is egress-filtering by the ISPs (ie, beign "good network citizens").

Tracing the streams is not an easy task, and it gets much worse for those "reflection" attacks.

I could do it on my Cisco router, but I have already implemented some rate limits and I could not add any other line. If I will drop the packet directly on the DNS server, will my bandwidth in any case used on my POS interface, so reducing the available overall bandwidth? And last, why any UDP flood I have received has taken right of way my legal traffic: an example; I have 75 Mbps, and the legitimate traffic is of 70 Mbps. When an UDP flood of 20 Mbps(target 53) arrive, it takes 20 Mbps and not the remaining 5 Mbps. So my legitimate traffic will be decreased of 15 Mbps.

Do you mean that your available bandwidth is 75 Mbps, your legitimate traffic is 70 Mbps, and that when you're hit with a flood it takes about 20 Mbps?

If your setup is something like:

-------------   LAN

and the flood comes from the Internet, then the flood has already eaten your bandwidth when it gets to your router.

Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org


  By Date           By Thread  

Current thread:
  • Udp Flood Mauro Marazzi (Nov 05)
    • <Possible follow-ups>
    • Re: Udp Flood Fernando Gont (Nov 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]