Tuesday, September 06, 2022

Re: Recommended options to block bruteforce requests on udp

On 06/09/2022 19:07, Stuart Henderson wrote:
> On 2022-09-06, Carlos López Martínez <clopmz@outlook.com> wrote:
>> I have a very important question with massive requests to udp ports.
>> Until now I had the following options configured:
>>
>> (max-src-conn 30, max-src-conn-rate 10/1, overload <bruteforce> flush
>> global)
>>
>> I have several services published through udp, most importantly
>> WireGuard, but I'm not sure about activating those options. For exmaple,
>> using the following options for tcp:
>>
>> (max-src-conn 10, max-src-conn-rate 15/5, overload <bruteforce> flush
>> global)
>>
>> several IPs goes to bruteforce table ... but for udp, nothing .... and t
>> it seems strange to me.
>>
>> Is my config ok or do you see some gotchas?
>
> Those options are for TCP which requires 2-way communications and
> is relatively hard to spoof unless you're on the network path.
>
> UDP is often trivial to spoof (there are still a fair number of
> end-user ISPs/colos that still don't do ingress filtering) so
> blocking based on potentially faked IP addresses (e.g. someone
> spoofing packets with source IPs that belong to google/some big
> cdn/root name servers/etc could cause a lot of disruption if
> they could trigger a block). So PF doesn't do this.
>
> It's explained a bit in pf.conf(5) as well.
>

Understood ... Many thanks Stuart for your explanation.
--
Best regards,
C. L. Martinez

No comments:

Post a Comment