Server getting UDP DDoS attacked. Advice?

Portal Home > Knowledgebase > Articles Database > Server getting UDP DDoS attacked. Advice?

Posted by Eli L, 10-16-2013, 03:10 AM
I have a dedicated (cpanel) server used for web hosting and have recently been getting UDP flood attacked (DDoS). The attacks are following a trend of lasting pretty close to 1.5 hours per attack. The following is an example of what floods my 'messeges' log (* = censored): Oct 15 22:38:27 * kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=* SRC=121.96.59.110 DST=*.203 LEN=826 TOS=0x00 PREC=0x00 TTL=120 ID=16928 PROTO=UDP SPT=19 DPT=50593 LEN=1221 The server has a 100Mb connection and the attacks use up all of it. (See this graph http://i.imgur.com/umAhPxC.png ) I have multiple IPs on the server and all the firewall messages say the destination is only one of them. Are the attacks targeting a specific domain using that IP, or are they targeting the IP itself? If it's the IP could I just move all accounts on that IP to a different one (ex: *.204) then ask my provider to temporally remove the attacked IP from the server? Basically, what can I do to stop this attack from affecting my server?
Posted by Scott.Mc, 10-16-2013, 04:20 AM
Correct given it's saturating your uplink you cannot do anything server side about it. You can ask your provider to null route the IP that's being effected or see if they can ACL the attack (It's likely only coming from one or two sources).
Posted by incloudibly, 10-16-2013, 09:02 AM
If you don't need UDP, ask your provider to drop all UDP packets targeting your IP. However, if attackers are determined, they'll change the type of attack once UDP flood has no effect, so a remote DDoS protected proxy is definitely a better solution.
Posted by supportexpertz, 10-16-2013, 09:49 AM
Get Apache status update from command line to see which domain is receiving maximum hits: lynx http://localhost/whm-server-status OR httpd fullstatus |more That will help you identify the target of attack
Posted by DeltaAnime, 10-16-2013, 10:06 AM
How does apache detect UDP floods? Francisco
Posted by RobertJP, 10-16-2013, 06:07 PM
If you simply swap IPs, I'm sure the attacker will figure that out in no time. The server is used for web hosting - are you or one of your clients receiving the attack? If a client, you can suggest they host within a DDoS Protected network or employ a proxy solution. Thumbs up. Try to work with your provider.
Posted by ddosguru, 10-16-2013, 06:17 PM
Are you running anything on UDP/50593?
Posted by Infinitnet, 10-16-2013, 06:30 PM
If the UDP flood is saturating your uplink, there isn't any other way than moving to a protected network, by either getting a server inside a DDoS protected datacenter or by looking for a remote DDoS protection. You can try the free CloudFlare plan, they should be able to block UDP floods. And as @Scott.Mc suggested, you should first ask your provider if he can disable UDP for your IP.
Posted by Vex76, 10-17-2013, 12:51 AM
Even if provider blocks UDP, there are plenty of other attack types. UDP is just the most bandwidth-eating one. Better go with a ddos protection provider.
Posted by Scott.Mc, 10-17-2013, 02:03 AM
Agreed, as time goes on providers are going to have to start migrating these types of attacks. Especially these types as not only are they very simple to launch they are also very simple to detect and filter. Forcing your customers to leave to another network you are incapable of handling basic floods won't be the general line in a few years once providers start realizing lots and lots of their customers are having to leave, even your larger ones, all because of some very tiny attack. I think you will always have specialized DDoS migration providers but for the overwhelming majority all providers are eventually going to have to have tools and measures in place to deal with them. The current level of automation amongst most of them is auto null routing which most of the mid-sized places are likely firing out several nulls per day, all of which equal potential unhappy customers. For us we specifically customers only really come to us when they are having issues and they need them to go away, in the case of DDoS it irritates me when we are having to move entire customers environments simply because the provider is incapable of dealing with basic floods (key note: basic floods) and it puts a dim light on that certain provider to the extent we'd never consider them when specing locations for customers. Many of the providers thought process is they'd rather loose that ~5 server customer as it won't have much effect on them and as a side bit of irony, two of our largest customers that have going on 800 systems between them both came from tiny 1 hour ($100) jobs we done for individuals that then became staff at the new places and recommended (both of them are unrelated, don't know each other, too). Point being you just don't know what future business you are throwing away, all because they don't have the capacity to handle basic floods (from a handful of sources), again we are not talking about more complicated (if you can call them that) attacks.
Posted by Eli L, 10-17-2013, 11:35 PM
The logs I've looked at don't show any specific domain being targeted; just the main shared IP. But maybe I'm looking in the wrong places? Can cloudflare protect against attacks directed at an IP? I thought they were only for domains. Also isn't UDP needed for things like DNS? Nope. I agree, but my provider (honelive) is a budget one, the servers are spec'ed pretty good and they're the cheapest I've seen for what you get. Their support is usually pretty slow and their usual policy is to disconnect servers if they are being hit with a ddos. I expect very little in terms of working with them on the issue and the solution to this problem is solely my own if I don't want the server unplugged. Moving to a better provider is also not a solution unless the other provider is comparable in price and server specs. My current plan of action, if the attacks continue, is to move all accounts from the affected IP to a different one, then have the IP null routed and see if that helps.
Posted by real_mc, 10-18-2013, 04:14 AM
Sounds like everyone here needs a provider that offers external BGP to customers, accepts smaller than /24 subnets (obviously), private AS and blackhole communities or even BGP flow specs.
Posted by Infinitnet, 10-18-2013, 05:29 AM
You're right, they only offer proxying and no tunneling, so you can only protect domains with them. There are other providers who offer tunneling for other services as well though. Also, it's normal that you can't find out which domain was the target in case of UDP flood, as it's a network layer flood. You won't know the target domain of the attack, until you separated all your domains from each other (each on a different IP I mean) and then wait until they attack. The other option would be to protect all of your domains or/and use a tunnel.
Posted by GreenHornet, 10-18-2013, 05:45 AM
Basically the one who attacks you, will just snipe your domains' new IP address and will attack there. Changing IP is not an option when you are not DDoS protected.