version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0 author=jrmu charset=UTF-8 csum= ctime=1608201296 host=198.251.81.119 name=Openbsd.RSTFlood rev=1 targets=Openbsd.Tcpdump,Openbsd.Buyvm,Openbsd.Pf,Openbsd.Ddos text=(:title TCP Ack Flood:)%0a%0a!! TCP Ack Flood%0a%0a%0a!! Sample Pcap%0a%0aFollow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%0a[@%0a@]%0a%0aIn the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%0aHere are some other packets:%0a%0a[@%0a@]%0a%0aThis packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%0a!! How to Block%0a%0aFirst, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%0aUsing the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%0a[@%0aext_ip="192.168.0.1"%0ablock drop quick proto udp from any to $ext_ip port 1900%0a@]%0a%0aA better solution is to block all udp packets except for a few ports that you whitelist:%0a%0a[@%0aext_ip="192.168.0.1"%0apass in quick proto udp to $ext_ip port {domain ntp}%0ablock drop quick proto udp to $ext_ip port 1900%0a@]%0a%0aThis would whitelist DNS and NTP packets but drop all other UDP packets.%0a%0a!! See Also%0a%0a[[openbsd/Ddos|DDoS Defense]] time=1608201296 title=TCP Ack Flood author:1608201296=jrmu diff:1608201296:1608201296:=1,45d0%0a%3c (:title TCP Ack Flood:)%0a%3c %0a%3c !! TCP Ack Flood%0a%3c %0a%3c %0a%3c !! Sample Pcap%0a%3c %0a%3c Follow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%3c %0a%3c [@%0a%3c @]%0a%3c %0a%3c In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%3c %0a%3c Here are some other packets:%0a%3c %0a%3c [@%0a%3c @]%0a%3c %0a%3c This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%3c %0a%3c !! How to Block%0a%3c %0a%3c First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%3c %0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c block drop quick proto udp from any to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c A better solution is to block all udp packets except for a few ports that you whitelist:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c pass in quick proto udp to $ext_ip port {domain ntp}%0a%3c block drop quick proto udp to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c This would whitelist DNS and NTP packets but drop all other UDP packets.%0a%3c %0a%3c !! See Also%0a%3c %0a%3c [[openbsd/Ddos|DDoS Defense]]%0a\ No newline at end of file%0a host:1608201296=198.251.81.119