# UDP Flood ## UDP Flood An attacker can flood a server with UDP packets targeted at random ports. The server will process the packet, discover there is no application, and then waste time sending an ICMP Destination Unreachable reply. ## Sample Pcap Follow the [tcpdump](/openbsd/tcpdump) guide to record a pcap during an attack to analyze it. 13:02:41.051373 192.168.0.1.1935 > 198.251.81.119.17710: udp 341 (DF) [tos 0x28] (ttl 48, id 0, len 369) E(.q..@.0..Q......Qw..E..]..HTTP/1.1 200 OK CACHE-CONTROL: In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 17710 (our server). It is a udp packet with the DF (don't fragment) flag set. The content of the packet shows that it is an HTTP reply. Here's another similar packet: 13:02:41.081976 172.16.0.1.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417) EH....@.2.'N.-....Qw...+.. .HTTP/1.1 200 OK CACHE-CONTROL: This time, the source IP (172.16.0.1) is sending a UDP packet to 198.251.81.119 port 38699 (our server). Notice each time, the UDP packets are sent to a different, random port. ## How to Block First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/. First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/. Using the [packet filter](/openbsd/pf) firewall, you will want to block all unwanted UDP packets. The easiest way to do this is to first whitelist the packets you want (create a rule that allows all good UDP packets in), then blacklist all remaining UDP (create a rule to drop all remaining UDP packets): ext_ip="192.168.0.1" pass in quick proto udp to $ext_ip port {domain ntp} block drop quick proto udp to $ext_ip This would whitelist DNS and NTP packets but drop all other UDP packets. ## See Also [DDoS Defense](/openbsd/Ddos)