[RndTbl] UDP bad checksum flood

[Scott Toderash]

I just found this in my spam folder.

The probes come in on many ports, so they are just looking for something
open I suppose.

I'll look into that INVALID tag, it's something I'm not familiar with (yet).



On Fri, Feb 28, 2020 at 3:29 PM Trevor Cordes <trevor at tecnopolis.ca> wrote:

> On 2020-02-27 Scott Toderash wrote:
> > [10192947.300008] UDP: bad checksum. From 1.2.3.4:10398 to
> > 3.4.5.6:5060 ulen 237
> >
> > I started getting some of this yesterday on one host.
> >
> > I think that there is a way to use regex and fail2ban to block flood
> > attacks like this. Does anyone have the recipe?
> >
> > It comes in on various ports. This example is port 5060 but the host
> > does not have anything listening there.
>
> I think just simple iptables -j DROP for those would be more efficient
> than fail2ban.  The only thing fail2ban would buy you is if the hitters
> are also hitting valid ports with valid packets and you want to
> preemptively block them.  I wouldn't think it was worth it.
>
> iptables -A earlychain -p all -m conntrack --ctstate INVALID -j DROP
> iptables -A earlychain -p all -m state --state INVALID -j DROP
>
> Not sure if those catch invalid checksum... but they should?  If the
> traffic is confined to certain ports, just -p udp --dport xxxx -j DROP
> them.
>
> In any event, besides the kernel log (which is probably settable), even
> letting the kernel drop them post-iptables isn't really taking up many
> resources.
>
> You should capture some of the packets to see what the content is!
> Might be interesting.
>
> And 5060 is sip... you sure you aren't running some voip that is
> getting handled in a wonky way?  Is the source IP somewhere in CN or
> from legit IPs you might have business with?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20200303/72a1aebf/attachment.htm>