Blocking UDP dictionary attack - Networking

This is a discussion on Blocking UDP dictionary attack - Networking ; I am running OpenVPN. I've started experiencing a 'dictionary attack' - someone is determined to get in. This is more of a nuisance than anything, but I would like to figure out a way to block UDP attacks, similar to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Blocking UDP dictionary attack

  1. Blocking UDP dictionary attack

    I am running OpenVPN. I've started experiencing a 'dictionary attack' -
    someone is determined to get in. This is more of a nuisance than
    anything, but I would like to figure out a way to block UDP attacks,
    similar to the SSH blocks.

    They've been hitting me twice a second for days now. I'm getting annoyed.

    UDP is stateless though - any way to figure out how to block these
    attacks at the firewall?

    --Yan

  2. Re: Blocking UDP dictionary attack

    CptDondo writes:

    > I am running OpenVPN. I've started experiencing a 'dictionary attack' -
    > someone is determined to get in. This is more of a nuisance than
    > anything, but I would like to figure out a way to block UDP attacks,
    > similar to the SSH blocks.
    >
    > They've been hitting me twice a second for days now. I'm getting annoyed.
    >
    > UDP is stateless though - any way to figure out how to block these
    > attacks at the firewall?


    Are they coming from a single IP address? That could be filtered.

    Another option is to move your openvpn to a nonstandard port, and
    leave them a honeypot at the standard port to break in to.

  3. Re: Blocking UDP dictionary attack

    CptDondo wrote:
    > I am running OpenVPN. I've started experiencing a 'dictionary attack' -
    > someone is determined to get in. This is more of a nuisance than
    > anything, but I would like to figure out a way to block UDP attacks,
    > similar to the SSH blocks.
    >
    > They've been hitting me twice a second for days now. I'm getting annoyed.
    >
    > UDP is stateless though - any way to figure out how to block these
    > attacks at the firewall?
    >
    > --Yan


    can't wait to see someone block the insane idiot with the cross posts of
    M'I5!

  4. Re: Blocking UDP dictionary attack

    CptDondo wrote:
    > I am running OpenVPN. I've started experiencing a 'dictionary attack' -
    > someone is determined to get in. [...]


    > UDP is stateless though - any way to figure out how to block these
    > attacks at the firewall?


    I don't think you can block them at the firewall - unless you can do
    some IP based filtering. (Perhaps you know the IP address range for
    legitimate OpenVPN connections.)

    On the other hand, OpenVPN already has a pre-authentication feature;
    take a look at HMAC authentication and the --tls-auth option. Does this
    help you at all?

    Chris

  5. Re: Blocking UDP dictionary attack

    CptDondo wrote:
    > I am running OpenVPN. I've started experiencing a 'dictionary attack' -
    > someone is determined to get in. This is more of a nuisance than
    > anything, but I would like to figure out a way to block UDP attacks,
    > similar to the SSH blocks.
    >
    > They've been hitting me twice a second for days now. I'm getting annoyed.
    >
    > UDP is stateless though - any way to figure out how to block these
    > attacks at the firewall?
    >
    > --Yan


    A very practical way to hinder dictionary attacks is to put limits on
    the connection rate for the incoming non-related packets. I can't
    remember the iptables syntax for this (I use shorewall on my firewall,
    which makes it a bit easier to get all the rules right), but I'm sure
    google will help (http://www.debian-administration.org/articles/187 for
    example). Limiting incoming traffic to, say, 3 new connections per
    minute with a burst of 3 will make most dictionary attackers give up
    quickly - the attack would just take too long to succeed.

    It's a little odd that you are getting this sort of attack on openvpn
    ports, however - openvpn normally uses certificates and is therefore
    immune to dictionary attacks. It's more common on ssh ports and other
    password-based authentication.

+ Reply to Thread