About TCP Reflection attacks

Hi Friends,

TCP reflection and spoof attacks are coming. We use vyos router in the data center and the incoming attacks leak through the peer between us and PATHNet and reach us. Suddenly the VOS load value is 25 and the access is cut off. How can we write a rule to prevent this from happening? The sample attack output came to us from the other operator, I am passing it on to you.

TIME (UTC) SRC SRC-PORT → DST DST-PORT SIZE PROT

2024-01-16 16:00:17 2.xx.xx.79 25565 → 37.27.69.169 56369 60 TCP
2024-01-16 15:59:48 2.xx.xx.79 25565 → 37.27.69.178 7453 60 TCP
2024-01-16 15:59:52 2.xx.xx.79 25565 → 37.27.70.37 5999 60 TCP
2024-01-16 15:59:51 2.xx.xx.79 25565 → 37.27.71.83 52969 60 TCP
2024-01-16 16:00:32 2.xx.xx.79 25565 → 37.27.71.120 16141 60 TCP
2024-01-16 16:00:05 2.xx.xx.79 25565 → 37.27.80.53 2933 60 TCP
2024-01-16 16:00:00 2.xx.xx.79 25565 → 37.27.82.246 14850 60 TCP
2024-01-16 15:59:41 2.xx.xx.79 25565 → 37.27.83.132 57231 60 TCP
2024-01-16 15:59:45 2.xx.xx.79 25565 → 37.27.83.197 44166 60 TCP
2024-01-16 16:00:22 2.xx.xx.79 25565 → 37.27.83.240 28352 60 TCP
2024-01-16 15:59:41 2.xx.xx.79 25565 → 37.27.85.13 53221 60 TCP
2024-01-16 15:59:58 2.xx.xx.79 25565 → 37.27.87.127 48903 60 TCP

Welcome @huseyintr27 to the Vyos Forums.

Sounds like you might be looking to do some form of DDOS protection on Vyos.

This article might provide some useful insight for you.

Hope this helps.

Thanks. I have written the necessary rules, I think these rules will be sufficient to ensure that when an attack occurs on one of the IP addresses, it does not affect the others.

Can’t we just block remore src ips instead?

The remote IP mentioned in the logs is our IP address. DST IPs are attacker IPs.

Thanks @tjh

These rules worked, thank you.

The attack disconnects other IPs other than the incoming IP. Therefore, only the IP address from the attack needs to be cut. What can I do about this?