user1372896 user1372896 - 4 months ago 6x
Linux Question

IPTables drop UDP packets with IP Header Identification

We are currently receiving a 30Mbps Spoofed UDP flood against one of our applications that is causing high CPU usage, we have a dedicated firewall running a basic version of linux with IPTables.

Looking at the traffic logs, all of the spoofed UDP traffic has a header identification number of 31336. Is it possible to drop packets matching this number via IPTables?

Here is a picture containing a wireshark capture showing the identification number:
enter image description here

The data inside of the UDP packet is also between 90 and 800 bytes which replicates legitimate traffic into our application. The ident number is the only way I can see of matching the bad traffic.


I would try to use iptables' u32 extension.

This was not tested by me personally, but the rule should look something like this:

iptables -A PREROUTING -p udp -m u32 --u32 "2&0xFFFF=0x7a68" -j DROP