Tutorial Preventing UDP Spoofing Attacks (99.9% PROTECTION)

NatureNMoon

Moderator
Joined
Jul 8, 2016
Messages
44
Points
71
Hello everyone;

Many people hate taking UDP spoofing attacks. It makes almost everyone angry. However, it is not a big deal :)

Today, I will help you about preventing UDP spoofing attacks.

You can prevent UDP spoofing attacks by using IPTABLES and IPSET (If you do not have them, you can download by using the command lines below);

CentOS:
Code:
yum install iptables
yum install ipset
Ubuntu/Debian:
Code:
apt-get install iptables
apt-get install ipset
Here is the script "r4p3.sh"

Bash:
#!/bin/bash
# R4P3 UDP SPOOFING ATTACKS PREVENTION by Nature N Moon - R4P3.NET
# If you need help, do not hesitate to keep in touch with me

ipset create r4p3_udp_spoofing hash:ip hashsize 16777216 maxelem 40000000 timeout 120
iptables -N R4P3 -t raw
iptables -A PREROUTING -p udp -m set ! --match-set r4p3_udp_spoofing src -t raw -j R4P3
iptables -A R4P3 -t raw -j SET --add-set r4p3_udp_spoofing src
iptables -A R4P3 -t raw -j DROP
Please give full permission "chmod +x r4p3.sh" and start the script by using "./r4p3.sh" . After that, you can save and restart your iptables service.

Let me explain how these 5 codes can prevent UDP Spoofing attacks;

First of all, "UDP SPOOFING ATTACKS" are always changeable. That's why, if someone attacks you by using spoofing attacks, they will not use the same ip address again and again. That's why, these iptables rules may help you to prevent UDP spoofing attacks.

UDP protocol do not work like TCP protocol. That's why, if you want to prevent TCP attacks, SYNPROXY may help you. (I suggest you to use it)

WARNING: THE POWER OF THIS SCRIPT DEPENDS ON YOUR RAM, CPU, NIC, INTERNET SPEED, BUT THE RAW CHAIN OF THE IPTABLES HAS THE HIGHEST PACKET RATE WHICH IS 1.000.000 PACKET PER SECOND.



 
Last edited:

aLp59

Member
Joined
Jul 13, 2016
Messages
3
Points
35
Age
22
This prevention works well. I had a problem but I fixed it by myself. If you have a problem about your UDP port or ports, use this guys. This code worked well for me. For now, no problem. Can you share some preventions for TCP protocol except Synproxy.
 

NatureNMoon

Moderator
Joined
Jul 8, 2016
Messages
44
Points
71
This prevention works well. I had a problem but I fixed it by myself. If you have a problem about your UDP port or ports, use this guys. This code worked well for me. For now, no problem. Can you share some preventions for TCP protocol except Synproxy.
SYNPROXY is one of the best preventions for TCP protocol. As you know, it is not the only one which prevents ddos attacks on TCP.

Here is the connlimit rule which may help you. You can add more port numbers by using "," like 50,60,70,80...
Bash:
-p tcp -m multiport --dports 21,22,25,80,443,1433,3306,3389 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j DROP
Please use only the parameters below for SYNPROXY:
Bash:
--sack-perm --timestamp
You can also use notrack for TCP, notrack command makes TCP traffic untraceable. That's why, if someone attacks you by using TCP spoofing attacks, notrack will keep you safe :)
(YOU MUST USE YOUR EXTERNAL INTERFACE, PLEASE CHANGE IT FROM THE IPTABLES RULE BELOW;)
Bash:
-i YourExternalInterface -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack
The rules and information above will help you a lot I guess. I am also planning to do something like SYNPROXY. However, it is not very soon :)
 
Last edited:

Kaptan647

Retired Staff
Contributor
Joined
Apr 25, 2015
Messages
315
Points
112
Nice one! But some applications that requires to send information outside ( to a serverlist for example) might have some problems. You need to whiitelist them or use conntrack and dont block the udp packets if the first connection orginates from server.
 

NatureNMoon

Moderator
Joined
Jul 8, 2016
Messages
44
Points
71
dont block the udp packets if the first connection orginates from server.
If you want to make an exception, you can do it for sure. However, all the applications using UDP have reconnection process. I am using this action :) meaning if the connection comes from a real person or application, he or it has to send the connection again. Also you can use the exception rules for TeamSpeak3 weblist:
Here is the source: https://support.teamspeakusa.com/index.php?/Knowledgebase/Article/View/44/16/which-ports-does-the-teamspeak-3-server-use
Here is the TeamSpeak3 Weblist exception rule below;
Code:
-p udp ! --dport 2010
or if you have more than one port for which you want to make an exception below;
Code:
-p udp -m multiport ! --dports 2010,9987
If someone needs help, they can keep in touch with me by pm or posting here
 
Last edited:

fourwind

New Member
Joined
Apr 21, 2019
Messages
20
Points
5
Age
32
it didn't make a difference i tried to attack with ldap amp and the server got rekt xD
You cant filter more then the network link allows, that why the "99,9%" is kinda fishy..
Most Server have like 1G or mybe 10G and most AMP attacks are way bigger.

It filters 99,9% attacks as long as its <1G lol.
 

Th3XeonPlat

Member
Joined
Mar 10, 2017
Messages
19
Points
53
Age
18
You cant filter more then the network link allows, that why the "99,9%" is kinda fishy..
Most Server have like 1G or mybe 10G and most AMP attacks are way bigger.

It filters 99,9% attacks as long as its <1G lol.
the attack already arrives filtered but not at 100% it arrives 300mbps and with my iptable rules i make it 22mbps but i need to make it 0
 

NatureNMoon

Moderator
Joined
Jul 8, 2016
Messages
44
Points
71
the attack already arrives filtered but not at 100% it arrives 300mbps and with my iptable rules i make it 22mbps but i need to make it 0
You can prevent this by using your server, there should be a firewall in front of your server, that's why u can filter it and make it 0 ;)

From 300mbps to 22mbps is a great rate for preventing.
 

Top