Re: Udp Flood

[Fernando Gont <fernando () gont com ar>]

At 23:04 04/11/2003 +0000, you wrote:

> I've tried and tested UDP Flood 2 Foundstone to simulate some attack 
> suffered by my network.Is there any way to block an udp flood directed to 
> a Red Hat DNS Server?

Bandwidth-consuming attacks must be filtered at the upstream router.
The problem is that sender IP address can easily be spoofed. In that case, 
the only thing that would help is egress-filtering by the ISPs (ie, beign 
"good network citizens").

Tracing the streams is not an easy task, and it gets much worse for those 
"reflection" attacks.


> I could do it on my Cisco router, but I have already implemented some rate 
> limits and I could not add any other line. If I will drop the packet 
> directly on the DNS server, will my bandwidth in any case used on my POS 
> interface, so reducing the available overall bandwidth? And last, why any 
> UDP flood I have received has taken right of way my legal traffic: an 
> example; I have 75 Mbps, and the legitimate traffic is of 70 Mbps. When an 
> UDP flood of 20 Mbps(target 53) arrive, it takes 20 Mbps and not the 
> remaining 5 Mbps. So my legitimate traffic will be decreased of 15 Mbps.

Do you mean that your available bandwidth is 75 Mbps, your legitimate 
traffic is 70 Mbps, and that when you're hit with a flood it takes about 20 
Mbps?

If your setup is something like:

Inet
   |
Router
   |
   |
-------------   LAN

and the flood comes from the Internet, then the flood has already eaten 
your bandwidth when it gets to your router.



--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
----------------------------------------------------------------------------