About TCP Reflection attacks

Hi Friends,

TCP reflection and spoof attacks are coming. We use vyos router in the data center and the incoming attacks leak through the peer between us and PATHNet and reach us. Suddenly the VOS load value is 25 and the access is cut off. How can we write a rule to prevent this from happening? The sample attack output came to us from the other operator, I am passing it on to you.


2024-01-16 16:00:17 2.xx.xx.79 25565 β†’ 56369 60 TCP
2024-01-16 15:59:48 2.xx.xx.79 25565 β†’ 7453 60 TCP
2024-01-16 15:59:52 2.xx.xx.79 25565 β†’ 5999 60 TCP
2024-01-16 15:59:51 2.xx.xx.79 25565 β†’ 52969 60 TCP
2024-01-16 16:00:32 2.xx.xx.79 25565 β†’ 16141 60 TCP
2024-01-16 16:00:05 2.xx.xx.79 25565 β†’ 2933 60 TCP
2024-01-16 16:00:00 2.xx.xx.79 25565 β†’ 14850 60 TCP
2024-01-16 15:59:41 2.xx.xx.79 25565 β†’ 57231 60 TCP
2024-01-16 15:59:45 2.xx.xx.79 25565 β†’ 44166 60 TCP
2024-01-16 16:00:22 2.xx.xx.79 25565 β†’ 28352 60 TCP
2024-01-16 15:59:41 2.xx.xx.79 25565 β†’ 53221 60 TCP
2024-01-16 15:59:58 2.xx.xx.79 25565 β†’ 48903 60 TCP

Welcome @huseyintr27 to the Vyos Forums.

Sounds like you might be looking to do some form of DDOS protection on Vyos.

This article might provide some useful insight for you.

Hope this helps.

1 Like

Thanks. I have written the necessary rules, I think these rules will be sufficient to ensure that when an attack occurs on one of the IP addresses, it does not affect the others.

Can’t we just block remore src ips instead?

The remote IP mentioned in the logs is our IP address. DST IPs are attacker IPs.

Thanks @tjh

These rules worked, thank you.

The attack disconnects other IPs other than the incoming IP. Therefore, only the IP address from the attack needs to be cut. What can I do about this?