UDP Flood

[emanuelebruno]

Hi, I need your help.
every day I receive many udp flood Attacks; in syslog I have found these informations:

UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:47 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:49 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:52 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:52 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:56 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:57 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:01:59 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:01 /USR/SBIN/CRON[239357]: (root) CMD (/usr/local/rtm/bin/rtm 55 > /dev/null 2> /dev/null)
Jul 30 19:02:07 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:12 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:13 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:13 kernel: UDP: bad checksum. From 120.127.242.4:3952 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:16 kernel: UDP: bad checksum. From 182.167.225.126:55219 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:16 kernel: UDP: bad checksum. From 182.167.225.126:55219 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:16 kernel: UDP: bad checksum. From 120.127.242.4:3969 to 5.196.244.246:80 ulen 8200
Jul 30 19:02:17 kernel: UDP: bad checksum. From 182.167.225.126:55219 to 5.196.244.246:80 ulen 8200

moreover, it seems that my network goes down... in syslog I have read these informations:

Jul 30 19:28:45 kernel: e1000e: eth0 NIC Link is Down
Jul 30 19:28:46 kernel: vmbr0: port 1(eth0) entering disabled state
Jul 30 19:28:47 kernel: e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
Jul 30 19:28:48 kernel: vmbr0: port 1(eth0) entering forwarding state

can you help me?

I have thought to enable proxmox firewall (I have the 3.3 Proxmox version) but I don't know what to do

Thanks for your help
E.Bruno

 

[emanuelebruno]

Hi, I have read another post about "PROXMOX CRASHES AFTER UDP BAD CHECKSUM" ... the link is this: http://forum.proxmox.com/threads/19053-Proxmox-crashes-restarts-after-UDP-bad-checksum

unfortunately , I have to admit that I also have encountered the same problem : about a month ago , shortly after an attack udp , the network interface of the server went down and by that time the server was unreachable ; it was necessary to shutdown and a restart of the server .

2 days ago, after an other udp attack, a Virtual Machine (I have 3 kvm machines) became unreachable ...

for this reason I would like to know whether the kernel Proxmox has some vulnerability about these UDP Attacks.

 

[proxtest]

<br>
...<br>
2 days ago, after an other udp attack, a Virtual Machine (I have 3 kvm machines) became unreachable ...<br>

<br>
<br>
U can't stop them coming in but u can drop all packets from these hosts.<br>
<br>
Or can u use fail2ban?<br>
<br>
http://blog.colundrum.com/post/59096659512/fail2ban-contre-udp-bad-checksum
<br>
Create the first config and change:<br>

failregex = UDP: bad checksum. From (?:::f{4,6}?(?P&lt;host&gt;[\w-.^_]+)

to

failregex = UDP: bad checksum. From (?:::f{4,6}?(?P<host>[\w\-.^_]+)
---------------------------------------------------------------------------^ &lt;- missing \

create /etc/fail2ban/jail.local and insert this:

[udp-badchecksum]enabled = true
filter = udp-badchecksum
action = iptables-allports
logpath = /var/log/kern.log
protocol = udp
bantime = 259200
maxretry = 1

<br>
check it:<br>
fail2ban-regex /var/log/kern.log /etc/fail2ban/filter.d/udp-badchecksum.conf
<br>
u should get some matches like this:<br>
<br>
Failregex
|- Regular expressions:
| [1] UDP: bad checksum. From (?:::f{4,6.....host&gt;[\w\-.^_]+)
|
`- Number of matches:
[1] 6 match(es)

<br>
restart /etc/init.d/fail2ban<br>
<br>
<br>
It blocks udp from any machine who send bad packets for 3 days.<br>
<br>

Edit: Sorry for the rubbish, hope no character lost, what an editor! Unbelivable Crap!

 

[emanuelebruno]

Hi ProxTest,
and thank you for your reply. It works like a charm!!

I have taken a look to /var/log/kern.log more deeply,and I discovered another udp attack:

Jul 31 03:35:35 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:39:07 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:40:09 kernel: UDP: short packet: From 41.130.15.71:60069 2147/99 to 5.196.244.246:9987
Jul 31 03:40:14 kernel: UDP: short packet: From 41.130.15.71:60069 2148/100 to 5.196.244.246:9987
Jul 31 03:40:29 kernel: UDP: short packet: From 41.130.15.71:60069 2147/99 to 5.196.244.246:9987
Jul 31 03:40:38 kernel: UDP: short packet: From 41.130.15.71:60069 2143/95 to 5.196.244.246:9987
Jul 31 03:41:16 kernel: UDP: short packet: From 41.130.15.71:60069 2069/21 to 5.196.244.246:9987
Jul 31 03:42:16 kernel: UDP: short packet: From 41.130.15.71:60069 2069/21 to 5.196.244.246:9987
Jul 31 03:42:31 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:43:00 kernel: UDP: short packet: From 41.130.15.71:60069 2136/88 to 5.196.244.246:9987
Jul 31 03:43:08 kernel: UDP: short packet: From 41.130.15.71:60069 2152/104 to 5.196.244.246:9987
Jul 31 03:44:54 kernel: UDP: short packet: From 41.130.15.71:60069 2140/92 to 5.196.244.246:9987
Jul 31 03:45:00 kernel: UDP: short packet: From 41.130.15.71:60069 2142/94 to 5.196.244.246:9987
Jul 31 03:46:12 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987
Jul 31 03:46:50 kernel: UDP: short packet: From 41.130.15.71:60069 2069/21 to 5.196.244.246:9987
Jul 31 03:49:14 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987

This time it is "UDP: short packet" , so I'd like to know if you can help me with this attack too...
Thank you for your reply.

E.Bruno.

 

[proxtest]

...
I have taken a look to /var/log/kern.log more deeply,and I discovered another udp attack:

Jul 31 03:49:14 kernel: UDP: short packet: From 41.130.15.71:60069 2071/23 to 5.196.244.246:9987

This time it is "UDP: short packet" , so I'd like to know if you can help me with this attack too...
...

Ok i try to explain.

edit jail.local and add this:

[udp-short]
enabled = true
filter = udp-short
port = 9987
action = iptables-allports
logpath = /var/log/kern.log
protocol = udp
bantime = 259200
maxretry = 1

it will take action if the destination port is 9987 AND retry 1 times or more!

copy your filter .conf to a new one and change the regex:

cp /etc/fail2ban/filter.d/udp-badchecksum.conf /etc/fail2ban/filter.d/udp-short.conf

and change
failregex = UDP: bad checksum. From (?:::f{4,6}?(?P<host>[\w\-.^_]+)
to
failregex = UDP: short packet: From (?:::f{4,6}?(?P<host>[\w\-.^_]+)

test it:
fail2ban-regex /var/log/kern.log /etc/fail2ban/filter.d/udp-short.conf

if it hits restart fail2ban

/etc/init.d/fail2ban restart

Keep in mind u only want to block trafic if there is a service behind! don't block if there is nothing cause u can get a verry long iptable (ddos attack) and this sucks also, especally if u have more vm's running. There is no cluster solution until yet. :-(

Keep an eye:

iptables -L -n -v

Hope it works!

Edit: Use the old regex and change exactly only the 'UDP: bad checksum.' to 'UDP: short packet:'
This crappy editor modifys the regex to smileys again. :-(