UDP flood transparent firewall ( dont know how to drop )



  • Hello,

    i have some questions about how to drop udp flood.

    now im only testing or i can block udp floods but:

    I have 10gbe connection from my ISP to my router and i whant to add firewall like that:
          ISP 10gbe –- modulated router 10gbe in same vlan with pfsense WAN --- pfsense LAN in vlan on router with all of my servers

    now im testing only on gbps interfaces all system and i have problem that i cant drop/block udp floods to my servers - i have created on firewall rules only 2 rules on WAN its:
        IPv4 UDP from any to any and Maximum state entries per host = 100
        IPv4 TCP from any to any and Maximum state entries per host = 3000 and Maximum new connections / per second(s) (TCP only) 50/3

    with thouse 2 rules when im trying to flood with udp my server that are behind pfsense - i can see in tcpdump -nn -v:

    
    21:42:17.190988 IP (tos 0xc0, ttl 64, id 19862, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 12.52.245.181: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 30976, offset 0, flags [none], proto UDP (17), length 1048)
        12.52.245.181.13324 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.190870 IP (tos 0x40, ttl 242, id 31006, offset 0, flags [none], proto UDP (17), length 1048)
        158.154.108.16.39582 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.190997 IP (tos 0xc0, ttl 64, id 45581, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 158.154.108.16: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 31006, offset 0, flags [none], proto UDP (17), length 1048)
        158.154.108.16.39582 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.190880 IP (tos 0x40, ttl 242, id 30984, offset 0, flags [none], proto UDP (17), length 1048)
        142.94.168.73.24206 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191006 IP (tos 0xc0, ttl 64, id 47728, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 142.94.168.73: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 30984, offset 0, flags [none], proto UDP (17), length 1048)
        142.94.168.73.24206 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191333 IP (tos 0x40, ttl 242, id 31021, offset 0, flags [none], proto UDP (17), length 1048)
        121.167.130.222.42873 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191394 IP (tos 0xc0, ttl 64, id 48587, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 121.167.130.222: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 31021, offset 0, flags [none], proto UDP (17), length 1048)
        121.167.130.222.42873 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191339 IP (tos 0x40, ttl 242, id 30991, offset 0, flags [none], proto UDP (17), length 1048)
        111.46.230.55.11887 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191413 IP (tos 0xc0, ttl 64, id 49443, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 111.46.230.55: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 30991, offset 0, flags [none], proto UDP (17), length 1048)
        111.46.230.55.11887 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191346 IP (tos 0x40, ttl 242, id 31009, offset 0, flags [none], proto UDP (17), length 1048)
        194.18.121.222.4802 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191425 IP (tos 0xc0, ttl 64, id 44924, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 194.18.121.222: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 31009, offset 0, flags [none], proto UDP (17), length 1048)
        194.18.121.222.4802 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191352 IP (tos 0x40, ttl 242, id 30993, offset 0, flags [none], proto UDP (17), length 1048)
        161.8.190.72.2209 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191435 IP (tos 0xc0, ttl 64, id 57926, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 161.8.190.72: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 30993, offset 0, flags [none], proto UDP (17), length 1048)
        161.8.190.72.2209 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191358 IP (tos 0x40, ttl 242, id 30969, offset 0, flags [none], proto UDP (17), length 1048)
        88.172.82.189.44120 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191447 IP (tos 0xc0, ttl 64, id 31995, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 88.172.82.189: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 30969, offset 0, flags [none], proto UDP (17), length 1048)
        88.172.82.189.44120 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191365 IP (tos 0x40, ttl 242, id 30978, offset 0, flags [none], proto UDP (17), length 1048)
        188.12.231.95.3260 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191458 IP (tos 0xc0, ttl 64, id 10760, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 188.12.231.95: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 30978, offset 0, flags [none], proto UDP (17), length 1048)
        188.12.231.95.3260 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191495 IP (tos 0x40, ttl 242, id 31025, offset 0, flags [none], proto UDP (17), length 1048)
        209.47.145.182.12241 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191515 IP (tos 0xc0, ttl 64, id 41487, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 209.47.145.182: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 31025, offset 0, flags [none], proto UDP (17), length 1048)
        209.47.145.182.12241 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191961 IP (tos 0x40, ttl 242, id 30989, offset 0, flags [none], proto UDP (17), length 1048)
        82.90.236.26.23122 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.192035 IP (tos 0xc0, ttl 64, id 60952, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 82.90.236.26: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 30989, offset 0, flags [none], proto UDP (17), length 1048)
        82.90.236.26.23122 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191975 IP (tos 0x40, ttl 242, id 31002, offset 0, flags [none], proto UDP (17), length 1048)
        35.106.110.167.27171 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.192044 IP (tos 0xc0, ttl 64, id 9143, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 35.106.110.167: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 31002, offset 0, flags [none], proto UDP (17), length 1048)
        35.106.110.167.27171 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.191994 IP (tos 0x40, ttl 242, id 31023, offset 0, flags [none], proto UDP (17), length 1048)
        85.220.5.212.56405 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.192054 IP (tos 0xc0, ttl 64, id 19952, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 85.220.5.212: ICMP xx.xxx.xxx.xx udp port 69 unreachable, length 556
            IP (tos 0x40, ttl 242, id 31023, offset 0, flags [none], proto UDP (17), length 1048)
        85.220.5.212.56405 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    21:42:17.192700 IP (tos 0x40, ttl 242, id 31027, offset 0, flags [none], proto UDP (17), length 1048)
        171.114.212.125.29355 > xx.xxx.xxx.xx.69:  1020 tftp-#0
    
    

    I can flood another port to:

    
    21:47:00.913511 IP (tos 0xc0, ttl 64, id 47835, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 211.230.202.102: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22774, offset 0, flags [none], proto UDP (17), length 1048)
        211.230.202.102.59091 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913442 IP (tos 0x40, ttl 242, id 22806, offset 0, flags [none], proto UDP (17), length 1048)
        108.121.162.237.31084 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913526 IP (tos 0xc0, ttl 64, id 40129, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 108.121.162.237: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22806, offset 0, flags [none], proto UDP (17), length 1048)
        108.121.162.237.31084 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913448 IP (tos 0x40, ttl 242, id 22808, offset 0, flags [none], proto UDP (17), length 1048)
        145.143.62.47.36753 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913539 IP (tos 0xc0, ttl 64, id 65470, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 145.143.62.47: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22808, offset 0, flags [none], proto UDP (17), length 1048)
        145.143.62.47.36753 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913454 IP (tos 0x40, ttl 242, id 22800, offset 0, flags [none], proto UDP (17), length 1048)
        129.220.52.90.56449 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913552 IP (tos 0xc0, ttl 64, id 25036, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 129.220.52.90: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22800, offset 0, flags [none], proto UDP (17), length 1048)
        129.220.52.90.56449 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913460 IP (tos 0x40, ttl 242, id 22812, offset 0, flags [none], proto UDP (17), length 1048)
        53.191.146.135.48949 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913562 IP (tos 0xc0, ttl 64, id 41569, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 53.191.146.135: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22812, offset 0, flags [none], proto UDP (17), length 1048)
        53.191.146.135.48949 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913466 IP (tos 0x40, ttl 242, id 22815, offset 0, flags [none], proto UDP (17), length 1048)
        97.24.124.134.6241 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.913572 IP (tos 0xc0, ttl 64, id 50070, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 97.24.124.134: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22815, offset 0, flags [none], proto UDP (17), length 1048)
        97.24.124.134.6241 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914040 IP (tos 0x40, ttl 242, id 22816, offset 0, flags [none], proto UDP (17), length 1048)
        223.87.178.241.22495 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914120 IP (tos 0xc0, ttl 64, id 56246, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 223.87.178.241: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22816, offset 0, flags [none], proto UDP (17), length 1048)
        223.87.178.241.22495 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914052 IP (tos 0x40, ttl 242, id 22809, offset 0, flags [none], proto UDP (17), length 1048)
        14.9.45.219.2318 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914130 IP (tos 0xc0, ttl 64, id 14656, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 14.9.45.219: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22809, offset 0, flags [none], proto UDP (17), length 1048)
        14.9.45.219.2318 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914066 IP (tos 0x40, ttl 242, id 22794, offset 0, flags [none], proto UDP (17), length 1048)
        181.25.43.141.6581 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914140 IP (tos 0xc0, ttl 64, id 27644, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 181.25.43.141: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22794, offset 0, flags [none], proto UDP (17), length 1048)
        181.25.43.141.6581 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914078 IP (tos 0x40, ttl 242, id 22810, offset 0, flags [none], proto UDP (17), length 1048)
        76.60.138.138.15436 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914151 IP (tos 0xc0, ttl 64, id 26523, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 76.60.138.138: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22810, offset 0, flags [none], proto UDP (17), length 1048)
        76.60.138.138.15436 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914095 IP (tos 0x40, ttl 242, id 22811, offset 0, flags [none], proto UDP (17), length 1048)
        1.77.48.232.19713 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914160 IP (tos 0xc0, ttl 64, id 54361, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 1.77.48.232: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22811, offset 0, flags [none], proto UDP (17), length 1048)
        1.77.48.232.19713 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914101 IP (tos 0x40, ttl 242, id 22799, offset 0, flags [none], proto UDP (17), length 1048)
        156.98.142.121.25244 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914169 IP (tos 0xc0, ttl 64, id 48003, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 156.98.142.121: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22799, offset 0, flags [none], proto UDP (17), length 1048)
        156.98.142.121.25244 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914107 IP (tos 0x40, ttl 242, id 22801, offset 0, flags [none], proto UDP (17), length 1048)
        138.149.209.42.38282 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914181 IP (tos 0xc0, ttl 64, id 4971, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 138.149.209.42: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22801, offset 0, flags [none], proto UDP (17), length 1048)
        138.149.209.42.38282 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914339 IP (tos 0x40, ttl 242, id 22807, offset 0, flags [none], proto UDP (17), length 1048)
        182.67.50.17.17334 > xx.xxx.xxx.xx.100: UDP, length 1020
    21:47:00.914374 IP (tos 0xc0, ttl 64, id 22036, offset 0, flags [none], proto ICMP (1), length 576)
        xx.xxx.xxx.xx > 182.67.50.17: ICMP xx.xxx.xxx.xx udp port 100 unreachable, length 556
            IP (tos 0x40, ttl 242, id 22807, offset 0, flags [none], proto UDP (17), length 1048)
    
    

    so the problem is that i want to drop ilegal udp flood on pfsense WAN ( i dont care if flood will be higher than i have total speed with ISP becouse i have auto RTBH ( blackhol from ISP for IP wich one under attack ) and i want just to drop it, becouse if that flood gona be higher then gbps ( my lan servers speed is gbps ) my lan server will get LAGS

    so the question is: how can i do that?

    btw pfsense should go to the latest BSD becouse it support multicore for PF :)

    thanks for all of you fo reading this and for answers..

    btw sory for bad english

    btw meaby it`s possible to create script that look if some source sending packets  ( the same packets size ) 10 times OR source sending more size in some time?

    Meaby SNORT rules? ( but snort eats a lot of cpu ) i dont know how to create snort rules, but i think its possible to create

    max udp request`s from source to destination per time
    max udp size from source
    udp echo alert
    udp 0 to 0 port
    max udp requests with the same size from source
    udp request to unreachable port

    and what rules hould be legal udp


Log in to reply