Tuesday, September 06, 2022

Re: Recommended options to block bruteforce requests on udp

On 2022-09-06, Carlos López Martínez <clopmz@outlook.com> wrote:
> I have a very important question with massive requests to udp ports.
> Until now I had the following options configured:
>
> (max-src-conn 30, max-src-conn-rate 10/1, overload <bruteforce> flush
> global)
>
> I have several services published through udp, most importantly
> WireGuard, but I'm not sure about activating those options. For exmaple,
> using the following options for tcp:
>
> (max-src-conn 10, max-src-conn-rate 15/5, overload <bruteforce> flush
> global)
>
> several IPs goes to bruteforce table ... but for udp, nothing .... and t
> it seems strange to me.
>
> Is my config ok or do you see some gotchas?

Those options are for TCP which requires 2-way communications and
is relatively hard to spoof unless you're on the network path.

UDP is often trivial to spoof (there are still a fair number of
end-user ISPs/colos that still don't do ingress filtering) so
blocking based on potentially faked IP addresses (e.g. someone
spoofing packets with source IPs that belong to google/some big
cdn/root name servers/etc could cause a lot of disruption if
they could trigger a block). So PF doesn't do this.

It's explained a bit in pf.conf(5) as well.

--
Please keep replies on the mailing list.

No comments:

Post a Comment