version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0 author=jrmu charset=UTF-8 csum= ctime=1608286117 host=198.251.81.119 name=Openbsd.UDPFlood rev=6 targets=Openbsd.Tcpdump,Openbsd.Buyvm,Openbsd.Pf,Openbsd.Ddos text=(:title UDP Flood:)%0a%0a!! UDP Flood%0a%0aAn attacker can flood a server with UDP packets targeted at random ports. The server will process the packet, discover there is no application, and then waste time sending an ICMP Destination Unreachable reply.%0a%0a!! Sample Pcap%0a%0aFollow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%0a[@%0a13:02:41.051373 192.168.0.1.1935 > 198.251.81.119.17710: udp 341 (DF) [tos 0x28] (ttl 48, id 0, len 369)%0aE(.q..@.0..Q......Qw..E..]..HTTP/1.1 200 OK%0aCACHE-CONTROL: %0a@]%0a%0aIn the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 17710 (our server). It is a udp packet with the DF (don't fragment) flag set.%0a%0aThe content of the packet shows that it is an HTTP reply.%0a%0aHere's another similar packet:%0a%0a[@%0a13:02:41.081976 172.16.0.1.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)%0aEH....@.2.'N.-....Qw...+..%0a.HTTP/1.1 200 OK%0aCACHE-CONTROL: %0a@]%0a%0aThis time, the source IP (172.16.0.1) is sending a UDP packet to 198.251.81.119 port 38699 (our server). Notice each time, the UDP packets are sent to a different, random port.%0a%0a!! How to Block%0a%0aFirst, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%0aUsing the [[openbsd/pf|packet filter]] firewall, you will want to block all unwanted UDP packets. The easiest way to do this is to first whitelist the packets you want (create a rule that allows all good UDP packets in), then blacklist all remaining UDP (create a rule to drop all remaining UDP packets):%0a%0a[@%0aext_ip="192.168.0.1"%0apass in quick proto udp to $ext_ip port {domain ntp}%0ablock drop quick proto udp to $ext_ip%0a@]%0a%0aThis would whitelist DNS and NTP packets but drop all other UDP packets.%0a%0a!! See Also%0a%0a[[openbsd/Ddos|DDoS Defense]] time=1608287989 title=UDP Flood author:1608287989=jrmu diff:1608287989:1608287743:= host:1608287989=198.251.81.119 author:1608287743=jrmu diff:1608287743:1608287494:=5c5,6%0a%3c An attacker can flood a server with UDP packets targeted at random ports. The server will process the packet, discover there is no application, and then waste time sending an ICMP Destination Unreachable reply.%0a---%0a> An attacker can flood a server with UDP packets targeted at random ports.%0a> The server will process the packet, discover there is no application, and then waste time sending an ICMP Destination Unreachable reply.%0a host:1608287743=198.251.81.119 author:1608287494=jrmu diff:1608287494:1608286437:=7a8,14%0a> %0a> %0a> %0a> This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them. However, as firewalls are 'stateful' i.e. can only hold a number of sessions, firewalls can also be susceptible to flood attacks. %0a> %0a> Many devices today use Universal Plug and Play (UPnP) in order to communicate. They use the Simple Service Discovery Protocol (SSDP) to tell other devices that they exist on the network. For example, a UPnP printer would broadcast all services it has to offer to all devices on the network. Attackers can spoof traffic to take advantage of these plug-and-play devices in an amplification attack. The attackers messages these UPnP devices using your IP address, and the devices reply with a message that is much larger than the original message. This amplifies the attack and floods your server with useless SSDP packets.%0a> %0a13,15c20,25%0a%3c 13:02:41.051373 192.168.0.1.1935 > 198.251.81.119.17710: udp 341 (DF) [tos 0x28] (ttl 48, id 0, len 369)%0a%3c E(.q..@.0..Q......Qw..E..]..HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a---%0a> 16:47:17.409684 192.168.0.1 > 198.251.81.119: icmp: 192.168.0.2 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0a> E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a18,23c28,31%0a%3c In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 17710 (our server). It is a udp packet with the DF (don't fragment) flag set.%0a%3c %0a%3c The content of the packet shows that it is an HTTP reply.%0a%3c %0a%3c Here's another similar packet:%0a%3c %0a---%0a> In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a> %0a> Here are some other packets:%0a> %0a25,28c33,48%0a%3c 13:02:41.081976 172.16.0.1.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)%0a%3c EH....@.2.'N.-....Qw...+..%0a%3c .HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a---%0a> 16:47:17.411700 192.168.0.1 > 198.251.81.119: icmp: 172.16.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0a> E..8....5..o.. n..Qw..;.....E..vtW....vq..Qw.. n...l.b..%0a> 16:47:17.411751 192.168.0.1 > 198.251.81.119: icmp: 10.0.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0a> E..8....6.....3...Qw..'.....E..v*.........Qw..3....l.b..%0a> 16:47:17.411888 192.168.0.1.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0a> E.....@.:..|H.....Qw..@.....HTTP/1.1 200 OK%0a> CACHE-CONTROL: max-age=1800%0a> DATE: Sat, 25 Jul 2020 00:47:17 GMT%0a> EXT:%0a> LOCATION: http://192.168.1.1:49152/IGDdevicedesc.xml%0a> OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01%0a> 01-NLS: d78a3592-1dd1-11b2-ae53-a94a2ae2af72%0a> SERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.17%0a> X-User-Agent: redsonic%0a> ST: urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a> USN: uuid:ebf5a0a0-1dd1-11b2-a93f-94103e83c76b::urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a31,32c51,52%0a%3c This time, the source IP (172.16.0.1) is sending a UDP packet to 198.251.81.119 port 38699 (our server). Notice each time, the UDP packets are sent to a different, random port.%0a%3c %0a---%0a> This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a> %0a37,38c57,58%0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block all unwanted UDP packets. The easiest way to do this is to first whitelist the packets you want (create a rule that allows all good UDP packets in), then blacklist all remaining UDP (create a rule to drop all remaining UDP packets):%0a%3c %0a---%0a> Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a> %0a41,42c61%0a%3c pass in quick proto udp to $ext_ip port {domain ntp}%0a%3c block drop quick proto udp to $ext_ip%0a---%0a> block drop quick proto udp from any to $ext_ip port 1900%0a44a64,71%0a> A better solution is to block all udp packets except for a few ports that you whitelist:%0a> %0a> [@%0a> ext_ip="192.168.0.1"%0a> pass in quick proto udp to $ext_ip port {domain ntp}%0a> block drop quick proto udp to $ext_ip port 1900%0a> @]%0a> %0a49c76,103%0a%3c [[openbsd/Ddos|DDoS Defense]]%0a\ No newline at end of file%0a---%0a> [[openbsd/Ddos|DDoS Defense]]%0a> %0a> 13:02:41.051373 162.251.189.148.1935 > 198.251.81.119.17710: udp 341 (DF) [tos 0x28] (ttl 48, id 0, len 369)%0a> E(.q..@.0..Q......Qw..E..]..HTTP/1.1 200 OK%0a> CACHE-CONTROL: %0a> 13:02:41.081976 46.45.217.22.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)%0a> EH....@.2.'N.-....Qw...+..%0a> .HTTP/1.1 200 OK%0a> CACHE-CONTROL: %0a> 13:02:41.113066 138.94.194.9.60969 > 198.251.81.119.343: udp 339 (DF) [tos 0x48] (ttl 47, id 0, len 367)%0a> EH.o..@./..[.^. ..Qw.).W.[..HTTP/1.1 200 OK%0a> CACHE-CONTROL: %0a> 13:02:41.159200 162.251.189.148.1935 > 198.251.81.119.17710: udp 306 (DF) [tos 0x28] (ttl 48, id 0, len 334)%0a> E(.N..@.0..t......Qw..E..:F.HTTP/1.1 200 OK%0a> CACHE-CONTROL: %0a> 13:02:41.185989 46.45.217.22.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)%0a> EH....@.2.'N.-....Qw...+..%0a> .HTTP/1.1 200 OK%0a> CACHE-CONTROL: %0a> 13:02:41.214410 138.94.194.9.60969 > 198.251.81.119.343: udp 339 (DF) [tos 0x48] (ttl 47, id 0, len 367)%0a> EH.o..@./..[.^. ..Qw.).W.[..HTTP/1.1 200 OK%0a> CACHE-CONTROL: %0a> 13:02:41.253971 162.251.189.148.1935 > 198.251.81.119.17710: udp 306 (DF) [tos 0x28] (ttl 48, id 0, len 334)%0a> E(.N..@.0..t......Qw..E..:F.HTTP/1.1 200 OK%0a> CACHE-CONTROL: %0a> 13:02:41.294352 46.45.217.22.47892 > 198.251.81.119.38699: udp 383 (DF) [tos 0x48] (ttl 50, id 0, len 411)%0a> EH....@.2.'T.-....Qw...+...hHTTP/1.1 200 OK%0a> CACHE-CONTROL:%0a\ No newline at end of file%0a host:1608287494=198.251.81.119 author:1608286437=jrmu diff:1608286437:1608286129:=5,12d4%0a%3c An attacker can flood a server with UDP packets targeted at random ports.%0a%3c The server will process the packet, discover there is no application, and then waste time sending an ICMP Destination Unreachable reply.%0a%3c %0a%3c %0a%3c %0a%3c %0a%3c This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them. However, as firewalls are 'stateful' i.e. can only hold a number of sessions, firewalls can also be susceptible to flood attacks. %0a%3c %0a103c95%0a%3c CACHE-CONTROL: %0a\ No newline at end of file%0a---%0a> CACHE-CONTROL:%0a\ No newline at end of file%0a host:1608286437=198.251.81.119 author:1608286129=jrmu diff:1608286129:1608286117:=1,4c1,4%0a%3c (:title UDP Flood:)%0a%3c %0a%3c !! UDP Flood%0a%3c %0a---%0a> (:title SSDP Attacks:)%0a> %0a> !! SSDP Attacks%0a> %0a95c95%0a%3c CACHE-CONTROL: %0a\ No newline at end of file%0a---%0a> CACHE-CONTROL:%0a\ No newline at end of file%0a host:1608286129=198.251.81.119 author:1608286117=jrmu diff:1608286117:1608286117:=1,95d0%0a%3c (:title SSDP Attacks:)%0a%3c %0a%3c !! SSDP Attacks%0a%3c %0a%3c Many devices today use Universal Plug and Play (UPnP) in order to communicate. They use the Simple Service Discovery Protocol (SSDP) to tell other devices that they exist on the network. For example, a UPnP printer would broadcast all services it has to offer to all devices on the network. Attackers can spoof traffic to take advantage of these plug-and-play devices in an amplification attack. The attackers messages these UPnP devices using your IP address, and the devices reply with a message that is much larger than the original message. This amplifies the attack and floods your server with useless SSDP packets.%0a%3c %0a%3c !! Sample Pcap%0a%3c %0a%3c Follow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%3c %0a%3c [@%0a%3c 16:47:17.409684 192.168.0.1 > 198.251.81.119: icmp: 192.168.0.2 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0a%3c E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c @]%0a%3c %0a%3c In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%3c %0a%3c Here are some other packets:%0a%3c %0a%3c [@%0a%3c 16:47:17.411700 192.168.0.1 > 198.251.81.119: icmp: 172.16.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0a%3c E..8....5..o.. n..Qw..;.....E..vtW....vq..Qw.. n...l.b..%0a%3c 16:47:17.411751 192.168.0.1 > 198.251.81.119: icmp: 10.0.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0a%3c E..8....6.....3...Qw..'.....E..v*.........Qw..3....l.b..%0a%3c 16:47:17.411888 192.168.0.1.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0a%3c E.....@.:..|H.....Qw..@.....HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: max-age=1800%0a%3c DATE: Sat, 25 Jul 2020 00:47:17 GMT%0a%3c EXT:%0a%3c LOCATION: http://192.168.1.1:49152/IGDdevicedesc.xml%0a%3c OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01%0a%3c 01-NLS: d78a3592-1dd1-11b2-ae53-a94a2ae2af72%0a%3c SERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.17%0a%3c X-User-Agent: redsonic%0a%3c ST: urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a%3c USN: uuid:ebf5a0a0-1dd1-11b2-a93f-94103e83c76b::urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a%3c @]%0a%3c %0a%3c This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%3c %0a%3c !! How to Block%0a%3c %0a%3c First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%3c %0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c block drop quick proto udp from any to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c A better solution is to block all udp packets except for a few ports that you whitelist:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c pass in quick proto udp to $ext_ip port {domain ntp}%0a%3c block drop quick proto udp to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c This would whitelist DNS and NTP packets but drop all other UDP packets.%0a%3c %0a%3c !! See Also%0a%3c %0a%3c [[openbsd/Ddos|DDoS Defense]]%0a%3c %0a%3c 13:02:41.051373 162.251.189.148.1935 > 198.251.81.119.17710: udp 341 (DF) [tos 0x28] (ttl 48, id 0, len 369)%0a%3c E(.q..@.0..Q......Qw..E..]..HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a%3c 13:02:41.081976 46.45.217.22.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)%0a%3c EH....@.2.'N.-....Qw...+..%0a%3c .HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a%3c 13:02:41.113066 138.94.194.9.60969 > 198.251.81.119.343: udp 339 (DF) [tos 0x48] (ttl 47, id 0, len 367)%0a%3c EH.o..@./..[.^. ..Qw.).W.[..HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a%3c 13:02:41.159200 162.251.189.148.1935 > 198.251.81.119.17710: udp 306 (DF) [tos 0x28] (ttl 48, id 0, len 334)%0a%3c E(.N..@.0..t......Qw..E..:F.HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a%3c 13:02:41.185989 46.45.217.22.57760 > 198.251.81.119.38699: udp 389 (DF) [tos 0x48] (ttl 50, id 0, len 417)%0a%3c EH....@.2.'N.-....Qw...+..%0a%3c .HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a%3c 13:02:41.214410 138.94.194.9.60969 > 198.251.81.119.343: udp 339 (DF) [tos 0x48] (ttl 47, id 0, len 367)%0a%3c EH.o..@./..[.^. ..Qw.).W.[..HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a%3c 13:02:41.253971 162.251.189.148.1935 > 198.251.81.119.17710: udp 306 (DF) [tos 0x28] (ttl 48, id 0, len 334)%0a%3c E(.N..@.0..t......Qw..E..:F.HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a%3c 13:02:41.294352 46.45.217.22.47892 > 198.251.81.119.38699: udp 383 (DF) [tos 0x48] (ttl 50, id 0, len 411)%0a%3c EH....@.2.'T.-....Qw...+...hHTTP/1.1 200 OK%0a%3c CACHE-CONTROL: %0a\ No newline at end of file%0a host:1608286117=198.251.81.119