We are currently receiving a 30Mbps Spoofed UDP flood against one of our applications that is causing high CPU usage, we have a dedicated firewall running a basic version of linux with IPTables.
Looking at the traffic logs, all of the spoofed UDP traffic has a header identification number of 31336. Is it possible to drop packets matching this number via IPTables?
Here is a picture containing a wireshark capture showing the identification number:
The data inside of the UDP packet is also between 90 and 800 bytes which replicates legitimate traffic into our application. The ident number is the only way I can see of matching the bad traffic.
Advertisement
Answer
I would try to use iptables’ u32 extension.
This was not tested by me personally, but the rule should look something like this:
iptables -A PREROUTING -p udp -m u32 --u32 "2&0xFFFF=0x7a68" -j DROP