Hi guys. Can anyone tell me exactly how this rule would translate into UFW:
Outbound UDP Flood protection in a user defined chain.
iptables -N udp-flood iptables -A OUTPUT -p udp -j udp-flood iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: ’ iptables -A udp-flood -j DROP
It is to prevent massive UDP flood attacks on our server. At the moment I have a rule that simply blocks all ports apart from some specific service ports I need open. However, this is too restrictive.
My current rule : -A ufw-after-output -p udp -j DROP
Thanks for any help!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Thank you for the quick response. :)
The floods are not inbound they are outbound which is why I have set a rule to deny all outbound UDP packets. I already have been the target of such attacks and setting the above UFW rule has solved the problem, ie stopped the UDP floods, but because it’s too restrictive it has caused problems with some of the software I run.
First of all I can see a foreign ip port scanning my ip, then many UDP Fragment (1500) from <ip> to <ip> on eth0.
I don’t think cloudflare will help as I don’t run a public website that someone might think to attack.
Any suggestions how I can convert the rate limit rule to a UFW format?
Thanks.
It is important to note that blocking large UDP floods at your droplet in software will likely not resolve the underlying problems. Your droplet will still need to refuse requests but more importantly, large inbound attacks can result in your droplet’s IP address being blackholed to prevent issues for other users on the network. If you believe you will be the target of this type of attack we recommend using a third party service (like CloudFlare for http) to provide DDoS protection.