TCP Ack Flood

TCP Ack Flood

Sample Pcap

Follow the tcpdump guide to record a pcap during an attack to analyze it.


In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.

Here are some other packets:


This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...

How to Block

First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are BuyVM, check the web panel to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.

Using the packet filter firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:

ext_ip="192.168.0.1"
block drop quick proto udp from any to $ext_ip port 1900

A better solution is to block all udp packets except for a few ports that you whitelist:

ext_ip="192.168.0.1"
pass in quick proto udp to $ext_ip port {domain ntp}
block drop quick proto udp to $ext_ip port 1900

This would whitelist DNS and NTP packets but drop all other UDP packets.

See Also

DDoS Defense