udp flood protection

Hello All!

I'm about to build an UDP balancer application on Unix (a reverse proxy)
and I'd like to implement a flood protection. Any ideas how to do this
besides checking the IP address of the clients?

TIA,

SJ

In article <42db9097@andromeda.datanet.hu>, SJ <sj@natrium.datanet.hu>
wrote:

>I'm about to build an UDP balancer application on Unix (a reverse proxy)
>and I'd like to implement a flood protection. Any ideas how to do this
>besides checking the IP address of the clients?

It is in the nature of UDP that essentially all the processing is up to
the receiving application. So the definition of "flood" depends on how
much your application can cope with. Contrast TCP SYN flood attacks,
where the "flood" arises because it fills up a connection table managed
by the kernel.

Checking IP addresses of incoming UDP packets isn't going to be enough,
since any eavesdropper can determine which addresses you're
communicating with and spoof packets with those addresses.

Lawrence D¹Oliveiro wrote:

> It is in the nature of UDP that essentially all the processing is up to
> the receiving application. So the definition of "flood" depends on how
> much your application can cope with. Contrast TCP SYN flood attacks,
> where the "flood" arises because it fills up a connection table managed
> by the kernel.
>
> Checking IP addresses of incoming UDP packets isn't going to be enough,
> since any eavesdropper can determine which addresses you're
> communicating with and spoof packets with those addresses.

Hello Lawrence!

And what other steps do you recommend? Eg. traffic shaping on the router
or running iptables with "--limit" on the udp proxy host, ...

SJ