UDP flood transparent firewall ( dont know how to drop )
-
Hello,
i have some questions about how to drop udp flood.
now i
m only testing or i can block udp flood
s but:I have 10gbe connection from my ISP to my router and i whant to add firewall like that:
ISP 10gbe –- modulated router 10gbe in same vlan with pfsense WAN --- pfsense LAN in vlan on router with all of my serversnow im testing only on gbps interfaces all system and i have problem that i cant drop/block udp floods to my servers - i have created on firewall rules only 2 rules on WAN its:
IPv4 UDP from any to any and Maximum state entries per host = 100
IPv4 TCP from any to any and Maximum state entries per host = 3000 and Maximum new connections / per second(s) (TCP only) 50/3with thouse 2 rules when im trying to flood with udp my server that are behind pfsense - i can see in tcpdump -nn -v:
21:42:17.190988 IP (tos 0xc0, ttl 64, id 19862, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 12.52.245.181: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 30976, offset 0, flags [none], proto UDP (17), length 1048) 12.52.245.181.13324 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.190870 IP (tos 0x40, ttl 242, id 31006, offset 0, flags [none], proto UDP (17), length 1048) 158.154.108.16.39582 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.190997 IP (tos 0xc0, ttl 64, id 45581, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 158.154.108.16: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 31006, offset 0, flags [none], proto UDP (17), length 1048) 158.154.108.16.39582 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.190880 IP (tos 0x40, ttl 242, id 30984, offset 0, flags [none], proto UDP (17), length 1048) 142.94.168.73.24206 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191006 IP (tos 0xc0, ttl 64, id 47728, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 142.94.168.73: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 30984, offset 0, flags [none], proto UDP (17), length 1048) 142.94.168.73.24206 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191333 IP (tos 0x40, ttl 242, id 31021, offset 0, flags [none], proto UDP (17), length 1048) 121.167.130.222.42873 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191394 IP (tos 0xc0, ttl 64, id 48587, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 121.167.130.222: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 31021, offset 0, flags [none], proto UDP (17), length 1048) 121.167.130.222.42873 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191339 IP (tos 0x40, ttl 242, id 30991, offset 0, flags [none], proto UDP (17), length 1048) 111.46.230.55.11887 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191413 IP (tos 0xc0, ttl 64, id 49443, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 111.46.230.55: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 30991, offset 0, flags [none], proto UDP (17), length 1048) 111.46.230.55.11887 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191346 IP (tos 0x40, ttl 242, id 31009, offset 0, flags [none], proto UDP (17), length 1048) 194.18.121.222.4802 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191425 IP (tos 0xc0, ttl 64, id 44924, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 194.18.121.222: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 31009, offset 0, flags [none], proto UDP (17), length 1048) 194.18.121.222.4802 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191352 IP (tos 0x40, ttl 242, id 30993, offset 0, flags [none], proto UDP (17), length 1048) 161.8.190.72.2209 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191435 IP (tos 0xc0, ttl 64, id 57926, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 161.8.190.72: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 30993, offset 0, flags [none], proto UDP (17), length 1048) 161.8.190.72.2209 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191358 IP (tos 0x40, ttl 242, id 30969, offset 0, flags [none], proto UDP (17), length 1048) 88.172.82.189.44120 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191447 IP (tos 0xc0, ttl 64, id 31995, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 88.172.82.189: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 30969, offset 0, flags [none], proto UDP (17), length 1048) 88.172.82.189.44120 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191365 IP (tos 0x40, ttl 242, id 30978, offset 0, flags [none], proto UDP (17), length 1048) 188.12.231.95.3260 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191458 IP (tos 0xc0, ttl 64, id 10760, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 188.12.231.95: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 30978, offset 0, flags [none], proto UDP (17), length 1048) 188.12.231.95.3260 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191495 IP (tos 0x40, ttl 242, id 31025, offset 0, flags [none], proto UDP (17), length 1048) 209.47.145.182.12241 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191515 IP (tos 0xc0, ttl 64, id 41487, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 209.47.145.182: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 31025, offset 0, flags [none], proto UDP (17), length 1048) 209.47.145.182.12241 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191961 IP (tos 0x40, ttl 242, id 30989, offset 0, flags [none], proto UDP (17), length 1048) 82.90.236.26.23122 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.192035 IP (tos 0xc0, ttl 64, id 60952, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 82.90.236.26: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 30989, offset 0, flags [none], proto UDP (17), length 1048) 82.90.236.26.23122 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191975 IP (tos 0x40, ttl 242, id 31002, offset 0, flags [none], proto UDP (17), length 1048) 35.106.110.167.27171 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.192044 IP (tos 0xc0, ttl 64, id 9143, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 35.106.110.167: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 31002, offset 0, flags [none], proto UDP (17), length 1048) 35.106.110.167.27171 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.191994 IP (tos 0x40, ttl 242, id 31023, offset 0, flags [none], proto UDP (17), length 1048) 85.220.5.212.56405 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.192054 IP (tos 0xc0, ttl 64, id 19952, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 85.220.5.212: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556 IP (tos 0x40, ttl 242, id 31023, offset 0, flags [none], proto UDP (17), length 1048) 85.220.5.212.56405 > xx.xxx.xxx.xx.69: 1020 tftp-#0 21:42:17.192700 IP (tos 0x40, ttl 242, id 31027, offset 0, flags [none], proto UDP (17), length 1048) 171.114.212.125.29355 > xx.xxx.xxx.xx.69: 1020 tftp-#0
I can flood another port to:
21:47:00.913511 IP (tos 0xc0, ttl 64, id 47835, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 211.230.202.102: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22774, offset 0, flags [none], proto UDP (17), length 1048) 211.230.202.102.59091 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913442 IP (tos 0x40, ttl 242, id 22806, offset 0, flags [none], proto UDP (17), length 1048) 108.121.162.237.31084 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913526 IP (tos 0xc0, ttl 64, id 40129, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 108.121.162.237: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22806, offset 0, flags [none], proto UDP (17), length 1048) 108.121.162.237.31084 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913448 IP (tos 0x40, ttl 242, id 22808, offset 0, flags [none], proto UDP (17), length 1048) 145.143.62.47.36753 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913539 IP (tos 0xc0, ttl 64, id 65470, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 145.143.62.47: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22808, offset 0, flags [none], proto UDP (17), length 1048) 145.143.62.47.36753 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913454 IP (tos 0x40, ttl 242, id 22800, offset 0, flags [none], proto UDP (17), length 1048) 129.220.52.90.56449 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913552 IP (tos 0xc0, ttl 64, id 25036, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 129.220.52.90: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22800, offset 0, flags [none], proto UDP (17), length 1048) 129.220.52.90.56449 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913460 IP (tos 0x40, ttl 242, id 22812, offset 0, flags [none], proto UDP (17), length 1048) 53.191.146.135.48949 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913562 IP (tos 0xc0, ttl 64, id 41569, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 53.191.146.135: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22812, offset 0, flags [none], proto UDP (17), length 1048) 53.191.146.135.48949 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913466 IP (tos 0x40, ttl 242, id 22815, offset 0, flags [none], proto UDP (17), length 1048) 97.24.124.134.6241 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.913572 IP (tos 0xc0, ttl 64, id 50070, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 97.24.124.134: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22815, offset 0, flags [none], proto UDP (17), length 1048) 97.24.124.134.6241 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914040 IP (tos 0x40, ttl 242, id 22816, offset 0, flags [none], proto UDP (17), length 1048) 223.87.178.241.22495 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914120 IP (tos 0xc0, ttl 64, id 56246, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 223.87.178.241: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22816, offset 0, flags [none], proto UDP (17), length 1048) 223.87.178.241.22495 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914052 IP (tos 0x40, ttl 242, id 22809, offset 0, flags [none], proto UDP (17), length 1048) 14.9.45.219.2318 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914130 IP (tos 0xc0, ttl 64, id 14656, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 14.9.45.219: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22809, offset 0, flags [none], proto UDP (17), length 1048) 14.9.45.219.2318 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914066 IP (tos 0x40, ttl 242, id 22794, offset 0, flags [none], proto UDP (17), length 1048) 181.25.43.141.6581 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914140 IP (tos 0xc0, ttl 64, id 27644, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 181.25.43.141: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22794, offset 0, flags [none], proto UDP (17), length 1048) 181.25.43.141.6581 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914078 IP (tos 0x40, ttl 242, id 22810, offset 0, flags [none], proto UDP (17), length 1048) 76.60.138.138.15436 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914151 IP (tos 0xc0, ttl 64, id 26523, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 76.60.138.138: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22810, offset 0, flags [none], proto UDP (17), length 1048) 76.60.138.138.15436 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914095 IP (tos 0x40, ttl 242, id 22811, offset 0, flags [none], proto UDP (17), length 1048) 1.77.48.232.19713 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914160 IP (tos 0xc0, ttl 64, id 54361, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 1.77.48.232: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22811, offset 0, flags [none], proto UDP (17), length 1048) 1.77.48.232.19713 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914101 IP (tos 0x40, ttl 242, id 22799, offset 0, flags [none], proto UDP (17), length 1048) 156.98.142.121.25244 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914169 IP (tos 0xc0, ttl 64, id 48003, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 156.98.142.121: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22799, offset 0, flags [none], proto UDP (17), length 1048) 156.98.142.121.25244 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914107 IP (tos 0x40, ttl 242, id 22801, offset 0, flags [none], proto UDP (17), length 1048) 138.149.209.42.38282 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914181 IP (tos 0xc0, ttl 64, id 4971, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 138.149.209.42: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22801, offset 0, flags [none], proto UDP (17), length 1048) 138.149.209.42.38282 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914339 IP (tos 0x40, ttl 242, id 22807, offset 0, flags [none], proto UDP (17), length 1048) 182.67.50.17.17334 > xx.xxx.xxx.xx.100: UDP, length 1020 21:47:00.914374 IP (tos 0xc0, ttl 64, id 22036, offset 0, flags [none], proto ICMP (1), length 576) xx.xxx.xxx.xx > 182.67.50.17: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556 IP (tos 0x40, ttl 242, id 22807, offset 0, flags [none], proto UDP (17), length 1048)
so the problem is that i want to drop ilegal udp flood on pfsense WAN ( i dont care if flood will be higher than i have total speed with ISP becouse i have auto RTBH ( blackhol from ISP for IP wich one under attack ) and i want just to drop it, becouse if that flood gona be higher then gbps ( my lan servers speed is gbps ) my lan server will get LAGS
so the question is: how can i do that?
btw pfsense should go to the latest BSD becouse it support multicore for PF :)
thanks for all of you fo reading this and for answers..
btw sory for bad english
btw meaby it`s possible to create script that look if some source sending packets ( the same packets size ) 10 times OR source sending more size in some time?
Meaby SNORT rules? ( but snort eat
s a lot of cpu ) i dont know how to create snort rules, but i think it
s possible to createmax udp request`s from source to destination per time
max udp size from source
udp echo alert
udp 0 to 0 port
max udp requests with the same size from source
udp request to unreachable portand what rules hould be legal udp