UDP Flood

emanuelebruno

Renowned Member
May 1, 2012
143
6
83
Catania
emanuelebruno.it
Hi, I need your help.
every day I receive many udp flood Attacks; in syslog I have found these informations:

UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:47 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:49 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:52 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:52 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:56 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:57 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:59 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:01 /USR/SBIN/CRON[239357]: (root) CMD (/usr/local/rtm/bin/rtm 55 > /dev/null 2> /dev/null)
Jul 30 19:02:07 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:12 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:13 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:13 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:16 kernel: UDP: bad checksum. From 182.167.225.126:55219 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:16 kernel: UDP: bad checksum. From 182.167.225.126:55219 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:16 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:17 kernel: UDP: bad checksum. From 182.167.225.126:55219 to 5.196.244.246:80 ulen 8200

moreover, it seems that my network goes down... in syslog I have read these informations:

Jul 30 19:28:45 kernel: e1000e: eth0 NIC Link is Down
Jul 30 19:28:46 kernel: vmbr0: port 1(eth0) entering disabled state
Jul 30 19:28:47 kernel: e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
Jul 30 19:28:48 kernel: vmbr0: port 1(eth0) entering forwarding state

can you help me?

I have thought to enable proxmox firewall (I have the 3.3 Proxmox version) but I don't know what to do

Thanks for your help
E.Bruno
 
Hi, I have read another post about "PROXMOX CRASHES AFTER UDP BAD CHECKSUM" ... the link is this: http://forum.proxmox.com/threads/19053-Proxmox-crashes-restarts-after-UDP-bad-checksum

unfortunately , I have to admit that I also have encountered the same problem : about a month ago , shortly after an attack udp , the network interface of the server went down and by that time the server was unreachable ; it was necessary to shutdown and a restart of the server .

2 days ago, after an other udp attack, a Virtual Machine (I have 3 kvm machines) became unreachable ...

for this reason I would like to know whether the kernel Proxmox has some vulnerability about these UDP Attacks.
 
<br>
...<br>
2 days ago, after an other udp attack, a Virtual Machine (I have 3 kvm machines) became unreachable ...<br>
<br>
<br>
U can't stop them coming in but u can drop all packets from these hosts.<br>
<br>
Or can u use fail2ban?<br>
<br>
http://blog.colundrum.com/post/59096659512/fail2ban-contre-udp-bad-checksum
<br>
Create the first config and change:<br>

failregex = UDP: bad checksum. From (?:::f{4,6}:)?(?P&lt;host&gt;[\w-.^_]+)

to

failregex = UDP: bad checksum. From (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
---------------------------------------------------------------------------^ &lt;- missing \

create /etc/fail2ban/jail.local and insert this:

[udp-badchecksum]enabled = true
filter = udp-badchecksum
action = iptables-allports
logpath = /var/log/kern.log
protocol = udp
bantime = 259200
maxretry = 1

<br>
check it:<br>
fail2ban-regex /var/log/kern.log /etc/fail2ban/filter.d/udp-badchecksum.conf
<br>
u should get some matches like this:<br>
<br>
Failregex
|- Regular expressions:
| [1] UDP: bad checksum. From (?:::f{4,6.....host&gt;[\w\-.^_]+)
|
`- Number of matches:
[1] 6 match(es)

<br>
restart /etc/init.d/fail2ban<br>
<br>
<br>
It blocks udp from any machine who send bad packets for 3 days.<br>
<br>

Edit: Sorry for the rubbish, hope no character lost, what an editor! Unbelivable Crap!
 
Last edited:
Hi ProxTest,
and thank you for your reply. It works like a charm!! :D

I have taken a look to /var/log/kern.log more deeply,and I discovered another udp attack:

Jul 31 03:35:35 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:39:07 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:40:09 kernel: UDP: short packet: From 41.130.15.71:60069 2147/99 to 5.196.244.246:9987
Jul 31 03:40:14 kernel: UDP: short packet: From 41.130.15.71:60069 2148/100 to 5.196.244.246:9987
Jul 31 03:40:29 kernel: UDP: short packet: From 41.130.15.71:60069 2147/99 to 5.196.244.246:9987
Jul 31 03:40:38 kernel: UDP: short packet: From 41.130.15.71:60069 2143/95 to 5.196.244.246:9987
Jul 31 03:41:16 kernel: UDP: short packet: From 41.130.15.71:60069 2069/21 to 5.196.244.246:9987
Jul 31 03:42:16 kernel: UDP: short packet: From 41.130.15.71:60069 2069/21 to 5.196.244.246:9987
Jul 31 03:42:31 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:43:00 kernel: UDP: short packet: From 41.130.15.71:60069 2136/88 to 5.196.244.246:9987
Jul 31 03:43:08 kernel: UDP: short packet: From 41.130.15.71:60069 2152/104 to 5.196.244.246:9987
Jul 31 03:44:54 kernel: UDP: short packet: From 41.130.15.71:60069 2140/92 to 5.196.244.246:9987
Jul 31 03:45:00 kernel: UDP: short packet: From 41.130.15.71:60069 2142/94 to 5.196.244.246:9987
Jul 31 03:46:12 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:46:50 kernel: UDP: short packet: From 41.130.15.71:60069 2069/21 to 5.196.244.246:9987
Jul 31 03:49:14 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987

This time it is "UDP: short packet" , so I'd like to know if you can help me with this attack too...
Thank you for your reply.

E.Bruno.
 
Last edited:
...
I have taken a look to /var/log/kern.log more deeply,and I discovered another udp attack:

Jul 31 03:49:14 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987

This time it is "UDP: short packet" , so I'd like to know if you can help me with this attack too...
...

Ok i try to explain.

edit jail.local and add this:

[udp-short]
enabled = true
filter = udp-short
port = 9987
action = iptables-allports
logpath = /var/log/kern.log
protocol = udp
bantime = 259200
maxretry = 1

it will take action if the destination port is 9987 AND retry 1 times or more!

copy your filter .conf to a new one and change the regex:

cp /etc/fail2ban/filter.d/udp-badchecksum.conf /etc/fail2ban/filter.d/udp-short.conf

and change
failregex = UDP: bad checksum. From (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
to
failregex = UDP: short packet: From (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

test it:
fail2ban-regex /var/log/kern.log /etc/fail2ban/filter.d/udp-short.conf

if it hits restart fail2ban

/etc/init.d/fail2ban restart

Keep in mind u only want to block trafic if there is a service behind! don't block if there is nothing cause u can get a verry long iptable (ddos attack) and this sucks also, especally if u have more vm's running. There is no cluster solution until yet. :-(

Keep an eye:

iptables -L -n -v

Hope it works!

Edit: Use the old regex and change exactly only the 'UDP: bad checksum.' to 'UDP: short packet:'
This crappy editor modifys the regex to smileys again. :-(
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!