[RndTbl] UDP bad checksum flood
Trevor Cordes
trevor at tecnopolis.ca
Fri Feb 28 15:29:06 CST 2020
On 2020-02-27 Scott Toderash wrote:
> [10192947.300008] UDP: bad checksum. From 1.2.3.4:10398 to
> 3.4.5.6:5060 ulen 237
>
> I started getting some of this yesterday on one host.
>
> I think that there is a way to use regex and fail2ban to block flood
> attacks like this. Does anyone have the recipe?
>
> It comes in on various ports. This example is port 5060 but the host
> does not have anything listening there.
I think just simple iptables -j DROP for those would be more efficient
than fail2ban. The only thing fail2ban would buy you is if the hitters
are also hitting valid ports with valid packets and you want to
preemptively block them. I wouldn't think it was worth it.
iptables -A earlychain -p all -m conntrack --ctstate INVALID -j DROP
iptables -A earlychain -p all -m state --state INVALID -j DROP
Not sure if those catch invalid checksum... but they should? If the
traffic is confined to certain ports, just -p udp --dport xxxx -j DROP
them.
In any event, besides the kernel log (which is probably settable), even
letting the kernel drop them post-iptables isn't really taking up many
resources.
You should capture some of the packets to see what the content is!
Might be interesting.
And 5060 is sip... you sure you aren't running some voip that is
getting handled in a wonky way? Is the source IP somewhere in CN or
from legit IPs you might have business with?
More information about the Roundtable
mailing list