# TCP Ack Flood

## TCP Ack Flood



## Sample Pcap

Follow the [tcpdump](/openbsd/tcpdump) guide to record a pcap during an attack to analyze it.



In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.

Here are some other packets:



This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...

## How to Block

First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.
First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.

Using the [packet filter](/openbsd/pf) firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:

    ext_ip="192.168.0.1"
    block drop quick proto udp from any to $ext_ip port 1900


A better solution is to block all udp packets except for a few ports that you whitelist:

    ext_ip="192.168.0.1"
    pass in quick proto udp to $ext_ip port {domain ntp}
    block drop quick proto udp to $ext_ip port 1900


This would whitelist DNS and NTP packets but drop all other UDP packets.

## See Also

[DDoS Defense](/openbsd/Ddos)