So I’m currently fighting off a targeted DDOS attack that have been on and off for the last month! We run a gaming server. Unfortunately, the gaming software we utilize limits us to only use the server IP address for inbound traffic and therefore, we can’t use any EDGE solutions to distribute inbound traffic.
Initially, the DDOS attacks all came from a specific number of PORTS likely compromised IOT devices. However, we successfully blocked those and stopped the attacks for a few days. Now they are back using what we believe to be UDP reflection attacks with 46+ million unique IP addresses targeting all ports.
We have a powerful firewall (on AWS), which can handle the traffic. However, about 80% of the bad traffic still passes through to our backend server, as we can’t catch it. Although we had good success with 1 rule from this forum mentioned below, that reduced it to about 20% getting through)
What’s making this difficult is the LOW volume of packets/bytes. I have some questions, and I’ll also provide some specifics of the issue if anyone can assist!
-Type of DDOS - 46+ Million of IPs
-Packets Per IP: 1-200
-Total Bytes Per IP: 93-1000
-Attacker Port: All ports used 0-65000?
We had some good (40-70% Drop Rate) but not enough success when adding the below rule from this site:
drop udp any any → $HOME_NET any (msg:“UDP retransmission verification”; flow:not_established,to_server; flowbits:isnotset,udp_verify; flowbits:set,udp_verify; sid:1;)
My questions are as follows:
Based on the above-mentioned information, what would you recommend?
Could we create a rule that holds traffic and only permits traffic to flow if we receive more than X UDP Packets from 1 source IP in X seconds? And Vise versa. This would probably need to be one time not to interrupt legitimate players.
Since all our UDP traffic is specific to one computer game, is it worth trying to create a signature of a game packet (good packet) and permitting only these packets for UDP? Is there a tool for this? If we feed it 100k example packets to come back with a signature for those packets?
Is it possible to allow traffic that follows a certain process (which a normal user would follow)
-Step 1 TCP Handshake
-Step 2 UDP Traffic
If step 1 is not completed, it won’t allow UDP traffic for this user?
- Is it possible to rate limit IPs to Ports, for example, only 1 IP per Source Port?
I know I’ve asked a lot! And also I’m happy if someone is interested to work on this project with me, so you can reach out also.
Really appreciate your support!