Tutorial Preventing UDP Spoofing Attacks (99.9% PROTECTION)

[NatureNMoon]

Hello everyone;

Many people hate taking UDP spoofing attacks. It makes almost everyone angry. However, it is not a big deal

Today, I will help you about preventing UDP spoofing attacks.

You can prevent UDP spoofing attacks by using IPTABLES and IPSET (If you do not have them, you can download by using the command lines below);

CentOS:

yum install iptables
yum install ipset

Ubuntu/Debian:

apt-get install iptables
apt-get install ipset

Here is the script "r4p3.sh"

#!/bin/bash
# R4P3 UDP SPOOFING ATTACKS PREVENTION by Nature N Moon - R4P3.NET
# If you need help, do not hesitate to keep in touch with me

ipset create r4p3_udp_spoofing hash:ip hashsize 16777216 maxelem 40000000 timeout 120
iptables -N R4P3 -t raw
iptables -A PREROUTING -p udp -m set ! --match-set r4p3_udp_spoofing src -t raw -j R4P3
iptables -A R4P3 -t raw -j SET --add-set r4p3_udp_spoofing src
iptables -A R4P3 -t raw -j DROP

Please give full permission "chmod +x r4p3.sh" and start the script by using "./r4p3.sh" . After that, you can save and restart your iptables service.

Let me explain how these 5 codes can prevent UDP Spoofing attacks;

First of all, "UDP SPOOFING ATTACKS" are always changeable. That's why, if someone attacks you by using spoofing attacks, they will not use the same ip address again and again. That's why, these iptables rules may help you to prevent UDP spoofing attacks.

UDP protocol do not work like TCP protocol. That's why, if you want to prevent TCP attacks, SYNPROXY may help you. (I suggest you to use it)

WARNING: THE POWER OF THIS SCRIPT DEPENDS ON YOUR RAM, CPU, NIC, INTERNET SPEED, BUT THE RAW CHAIN OF THE IPTABLES HAS THE HIGHEST PACKET RATE WHICH IS 1.000.000 PACKET PER SECOND.

​

 

[Qwe2390]

Couldn't be better. We need more content about network security

 

[aLp59]

This prevention works well. I had a problem but I fixed it by myself. If you have a problem about your UDP port or ports, use this guys. This code worked well for me. For now, no problem. Can you share some preventions for TCP protocol except Synproxy.

 

[NatureNMoon]

This prevention works well. I had a problem but I fixed it by myself. If you have a problem about your UDP port or ports, use this guys. This code worked well for me. For now, no problem. Can you share some preventions for TCP protocol except Synproxy.

SYNPROXY is one of the best preventions for TCP protocol. As you know, it is not the only one which prevents ddos attacks on TCP.

Here is the connlimit rule which may help you. You can add more port numbers by using "," like 50,60,70,80...

-p tcp -m multiport --dports 21,22,25,80,443,1433,3306,3389 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j DROP

Please use only the parameters below for SYNPROXY:

--sack-perm --timestamp

You can also use notrack for TCP, notrack command makes TCP traffic untraceable. That's why, if someone attacks you by using TCP spoofing attacks, notrack will keep you safe
(YOU MUST USE YOUR EXTERNAL INTERFACE, PLEASE CHANGE IT FROM THE IPTABLES RULE BELOW

-i YourExternalInterface -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack

The rules and information above will help you a lot I guess. I am also planning to do something like SYNPROXY. However, it is not very soon

 

[ZapicoGT]

For SAMP? Port 7777 UDP. Botnet attacks. 15k ip's

 

[NatureNMoon]

For SAMP? Port 7777 UDP. Botnet attacks. 15k ip's

This rule set can help you to prevent all UDP attacks, including SA-MP. I will also check SA-MP when I am available to create a new rule set to prevent the ddos attacks against SA-MP

 

[mkll11one]

Hi @NatureNMoon will you too setup with CSGO Server of "rule-set" of iptables?

 

[Asphyxia]

For SAMP? Port 7777 UDP. Botnet attacks. 15k ip's

Have you already glanced over here btw? https://javapipe.com/blog/samp-ddos-protection/

 

[NatureNMoon]

Hi @NatureNMoon will you too setup with CSGO Server of "rule-set" of iptables?

Here is the sule-set for all VALVE GAMES like CSGO, RUST etc... https://r4p3.net/threads/valve-ddos-protection-99-9.8042/
I heard your voice

 

[ZapicoGT]

Have you already glanced over here btw? https://javapipe.com/blog/samp-ddos-protection/

Yes, but it does not usually work. Leave the server unresponsive but SSH if it works.

 

[ZapicoGT]

This rule set can help you to prevent all UDP attacks, including SA-MP. I will also check SA-MP when I am available to create a new rule set to prevent the ddos attacks against SA-MP

I would be grateful. Thank you.

 

[ZapicoGT]

This rule set can help you to prevent all UDP attacks, including SA-MP. I will also check SA-MP when I am available to create a new rule set to prevent the ddos attacks against SA-MP

This please!

 

[Kaptan647]

Nice one! But some applications that requires to send information outside ( to a serverlist for example) might have some problems. You need to whiitelist them or use conntrack and dont block the udp packets if the first connection orginates from server.

 

[NatureNMoon]

dont block the udp packets if the first connection orginates from server.

If you want to make an exception, you can do it for sure. However, all the applications using UDP have reconnection process. I am using this action meaning if the connection comes from a real person or application, he or it has to send the connection again. Also you can use the exception rules for TeamSpeak3 weblist:
Here is the source: https://support.teamspeakusa.com/in...6/which-ports-does-the-teamspeak-3-server-use
Here is the TeamSpeak3 Weblist exception rule below;

-p udp ! --dport 2010

or if you have more than one port for which you want to make an exception below;

-p udp -m multiport ! --dports 2010,9987

If someone needs help, they can keep in touch with me by pm or posting here

 

[Th3XeonPlat]

it didn't make a difference i tried to attack with ldap amp and the server got rekt xD

 

[fourwind]

it didn't make a difference i tried to attack with ldap amp and the server got rekt xD

You cant filter more then the network link allows, that why the "99,9%" is kinda fishy..
Most Server have like 1G or mybe 10G and most AMP attacks are way bigger.

It filters 99,9% attacks as long as its <1G lol.

 

[Th3XeonPlat]

You cant filter more then the network link allows, that why the "99,9%" is kinda fishy..
Most Server have like 1G or mybe 10G and most AMP attacks are way bigger.

It filters 99,9% attacks as long as its <1G lol.

the attack already arrives filtered but not at 100% it arrives 300mbps and with my iptable rules i make it 22mbps but i need to make it 0

 

[NatureNMoon]

the attack already arrives filtered but not at 100% it arrives 300mbps and with my iptable rules i make it 22mbps but i need to make it 0

You can prevent this by using your server, there should be a firewall in front of your server, that's why u can filter it and make it 0

From 300mbps to 22mbps is a great rate for preventing.

 

[Sam_Groot]

Hello everyone;

Many people hate taking UDP spoofing attacks. It makes almost everyone angry. However, it is not a big deal

Today, I will help you about preventing UDP spoofing attacks.

You can prevent UDP spoofing attacks by using IPTABLES and IPSET (If you do not have them, you can download by using the command lines below);

CentOS:

yum install iptables
yum install ipset

Ubuntu/Debian:

apt-get install iptables
apt-get install ipset

Here is the script "r4p3.sh"

#!/bin/bash
# R4P3 UDP SPOOFING ATTACKS PREVENTION by Nature N Moon - R4P3.NET
# If you need help, do not hesitate to keep in touch with me

ipset create r4p3_udp_spoofing hash:ip hashsize 16777216 maxelem 40000000 timeout 120
iptables -N R4P3 -t raw
iptables -A PREROUTING -p udp -m set ! --match-set r4p3_udp_spoofing src -t raw -j R4P3
iptables -A R4P3 -t raw -j SET --add-set r4p3_udp_spoofing src
iptables -A R4P3 -t raw -j DROP

Please give full permission "chmod +x r4p3.sh" and start the script by using "./r4p3.sh" . After that, you can save and restart your iptables service.

Let me explain how these 5 codes can prevent UDP Spoofing attacks;

First of all, "UDP SPOOFING ATTACKS" are always changeable. That's why, if someone attacks you by using spoofing attacks, they will not use the same ip address again and again. That's why, these iptables rules may help you to prevent UDP spoofing attacks.

UDP protocol do not work like TCP protocol. That's why, if you want to prevent TCP attacks, SYNPROXY may help you. (I suggest you to use it)

WARNING: THE POWER OF THIS SCRIPT DEPENDS ON YOUR RAM, CPU, NIC, INTERNET SPEED, BUT THE RAW CHAIN OF THE IPTABLES HAS THE HIGHEST PACKET RATE WHICH IS 1.000.000 PACKET PER SECOND.

​

Thanks for the rules. They are working good.
Can u maybe can give more information about the rules and variables u using? Like what hassize and maxelem does.
Thx.

 

[rajaram]

Thanks for the rules. They are working good.

these are crap rules, for low-level attacks.
use ddos protected provider who knows what he is doing, and you'll be more than fine.

It filters 99,9% attacks as long as its <1G lol.

if you keep getting 0.01% attack thats 100% downtime, thats why this script is for protection against kids