TCP Ack Flood
TCP Ack Flood
Sample Pcap
Follow the tcpdump guide to record a pcap during an attack to analyze it.
In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.
Here are some other packets:
This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...
How to Block
First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are BuyVM, check the [web panel to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/. First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are BuyVM, check the [web panel to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.
Using the packet filter firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:
ext_ip="192.168.0.1"
block drop quick proto udp from any to $ext_ip port 1900
A better solution is to block all udp packets except for a few ports that you whitelist:
ext_ip="192.168.0.1"
pass in quick proto udp to $ext_ip port {domain ntp}
block drop quick proto udp to $ext_ip port 1900
This would whitelist DNS and NTP packets but drop all other UDP packets.