Hello folks. I'm still quite new in the area of firewall config, I do have basic understanding of it, but for now I am trying to avoid messing up things too much, so some tip or advice here would be appreciated.
I have an ISP provided GPON router together with my own router in IP pass-through mode. Recently, during some gaming sessions, there has been some quite huge DDoS attacks I have been able to observe, from many different IPs, making it impossible to use the connection.
All the packets causing the issue look like this, fragmented IPv4 packets to be reassembled as UDP. They are humongous and contain XML and SOAP gibberish messages, something I guess will force the router to make sense of the overall data contained within.
I am wondering what my options are here, of course I could just block all these IPs, but they always seem random and while few of them had more packets sent than others, they truly resemble as if they come from a quite huge botnet, therefore perhaps blocking them individually is not the way.
Would it be possible to create some rule to discard fragmented packets as such entirely, or to use some information within the packet structure to discard it straight away? I guess it would still cause some flooding, but if a good rule is written for this, I suppose it won't have the same impact as previously, since the router won't have to process the packet.
Thanks for reading, have a great day