Tutorial Preventing UDP Spoofing Attacks (99.9% PROTECTION)

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
Hello everyone;

Many people hate taking UDP spoofing attacks. It makes almost everyone angry. However, it is not a big deal :)

Today, I will help you about preventing UDP spoofing attacks.

You can prevent UDP spoofing attacks by using IPTABLES and IPSET (If you do not have them, you can download by using the command lines below);

CentOS:
Code:
yum install iptables
yum install ipset

Ubuntu/Debian:
Code:
apt-get install iptables
apt-get install ipset

Here is the script "r4p3.sh"

Bash:
#!/bin/bash
# R4P3 UDP SPOOFING ATTACKS PREVENTION by Nature N Moon - R4P3.NET
# If you need help, do not hesitate to keep in touch with me

ipset create r4p3_udp_spoofing hash:ip hashsize 16777216 maxelem 40000000 timeout 120
iptables -N R4P3 -t raw
iptables -A PREROUTING -p udp -m set ! --match-set r4p3_udp_spoofing src -t raw -j R4P3
iptables -A R4P3 -t raw -j SET --add-set r4p3_udp_spoofing src
iptables -A R4P3 -t raw -j DROP

Please give full permission "chmod +x r4p3.sh" and start the script by using "./r4p3.sh" . After that, you can save and restart your iptables service.

Let me explain how these 5 codes can prevent UDP Spoofing attacks;

First of all, "UDP SPOOFING ATTACKS" are always changeable. That's why, if someone attacks you by using spoofing attacks, they will not use the same ip address again and again. That's why, these iptables rules may help you to prevent UDP spoofing attacks.

UDP protocol do not work like TCP protocol. That's why, if you want to prevent TCP attacks, SYNPROXY may help you. (I suggest you to use it)

WARNING: THE POWER OF THIS SCRIPT DEPENDS ON YOUR RAM, CPU, NIC, INTERNET SPEED, BUT THE RAW CHAIN OF THE IPTABLES HAS THE HIGHEST PACKET RATE WHICH IS 1.000.000 PACKET PER SECOND.



 
Last edited:

aLp59

Member
Jul 13, 2016
3
5
38
This prevention works well. I had a problem but I fixed it by myself. If you have a problem about your UDP port or ports, use this guys. This code worked well for me. For now, no problem. Can you share some preventions for TCP protocol except Synproxy.
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
This prevention works well. I had a problem but I fixed it by myself. If you have a problem about your UDP port or ports, use this guys. This code worked well for me. For now, no problem. Can you share some preventions for TCP protocol except Synproxy.
SYNPROXY is one of the best preventions for TCP protocol. As you know, it is not the only one which prevents ddos attacks on TCP.

Here is the connlimit rule which may help you. You can add more port numbers by using "," like 50,60,70,80...
Bash:
-p tcp -m multiport --dports 21,22,25,80,443,1433,3306,3389 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j DROP

Please use only the parameters below for SYNPROXY:
Bash:
--sack-perm --timestamp

You can also use notrack for TCP, notrack command makes TCP traffic untraceable. That's why, if someone attacks you by using TCP spoofing attacks, notrack will keep you safe :)
(YOU MUST USE YOUR EXTERNAL INTERFACE, PLEASE CHANGE IT FROM THE IPTABLES RULE BELOW;)
Bash:
-i YourExternalInterface -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack

The rules and information above will help you a lot I guess. I am also planning to do something like SYNPROXY. However, it is not very soon :)
 
Last edited:

Kaptan647

Retired Staff
Contributor
Apr 25, 2015
314
398
112
Nice one! But some applications that requires to send information outside ( to a serverlist for example) might have some problems. You need to whiitelist them or use conntrack and dont block the udp packets if the first connection orginates from server.
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
dont block the udp packets if the first connection orginates from server.
If you want to make an exception, you can do it for sure. However, all the applications using UDP have reconnection process. I am using this action :) meaning if the connection comes from a real person or application, he or it has to send the connection again. Also you can use the exception rules for TeamSpeak3 weblist:
Here is the source: https://support.teamspeakusa.com/in...6/which-ports-does-the-teamspeak-3-server-use
Here is the TeamSpeak3 Weblist exception rule below;
Code:
-p udp ! --dport 2010
or if you have more than one port for which you want to make an exception below;
Code:
-p udp -m multiport ! --dports 2010,9987
If someone needs help, they can keep in touch with me by pm or posting here
 
Last edited:

Th3XeonPlat

Member
Mar 10, 2017
19
9
53
You cant filter more then the network link allows, that why the "99,9%" is kinda fishy..
Most Server have like 1G or mybe 10G and most AMP attacks are way bigger.

It filters 99,9% attacks as long as its <1G lol.
the attack already arrives filtered but not at 100% it arrives 300mbps and with my iptable rules i make it 22mbps but i need to make it 0
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
the attack already arrives filtered but not at 100% it arrives 300mbps and with my iptable rules i make it 22mbps but i need to make it 0
You can prevent this by using your server, there should be a firewall in front of your server, that's why u can filter it and make it 0 ;)

From 300mbps to 22mbps is a great rate for preventing.
 

Sam_Groot

Member
Jan 16, 2022
1
0
33
Hello everyone;

Many people hate taking UDP spoofing attacks. It makes almost everyone angry. However, it is not a big deal :)

Today, I will help you about preventing UDP spoofing attacks.

You can prevent UDP spoofing attacks by using IPTABLES and IPSET (If you do not have them, you can download by using the command lines below);

CentOS:
Code:
yum install iptables
yum install ipset

Ubuntu/Debian:
Code:
apt-get install iptables
apt-get install ipset

Here is the script "r4p3.sh"

Bash:
#!/bin/bash
# R4P3 UDP SPOOFING ATTACKS PREVENTION by Nature N Moon - R4P3.NET
# If you need help, do not hesitate to keep in touch with me

ipset create r4p3_udp_spoofing hash:ip hashsize 16777216 maxelem 40000000 timeout 120
iptables -N R4P3 -t raw
iptables -A PREROUTING -p udp -m set ! --match-set r4p3_udp_spoofing src -t raw -j R4P3
iptables -A R4P3 -t raw -j SET --add-set r4p3_udp_spoofing src
iptables -A R4P3 -t raw -j DROP

Please give full permission "chmod +x r4p3.sh" and start the script by using "./r4p3.sh" . After that, you can save and restart your iptables service.

Let me explain how these 5 codes can prevent UDP Spoofing attacks;

First of all, "UDP SPOOFING ATTACKS" are always changeable. That's why, if someone attacks you by using spoofing attacks, they will not use the same ip address again and again. That's why, these iptables rules may help you to prevent UDP spoofing attacks.

UDP protocol do not work like TCP protocol. That's why, if you want to prevent TCP attacks, SYNPROXY may help you. (I suggest you to use it)

WARNING: THE POWER OF THIS SCRIPT DEPENDS ON YOUR RAM, CPU, NIC, INTERNET SPEED, BUT THE RAW CHAIN OF THE IPTABLES HAS THE HIGHEST PACKET RATE WHICH IS 1.000.000 PACKET PER SECOND.



Thanks for the rules. They are working good.
Can u maybe can give more information about the rules and variables u using? Like what hassize and maxelem does.
Thx.
 
Top