Some help/advice regarding hardening fw

Hello folks. I'm still quite new in the area of firewall config, I do have basic understanding of it, but for now I am trying to avoid messing up things too much, so some tip or advice here would be appreciated.

I have an ISP provided GPON router together with my own router in IP pass-through mode. Recently, during some gaming sessions, there has been some quite huge DDoS attacks I have been able to observe, from many different IPs, making it impossible to use the connection.

All the packets causing the issue look like this, fragmented IPv4 packets to be reassembled as UDP. They are humongous and contain XML and SOAP gibberish messages, something I guess will force the router to make sense of the overall data contained within.

I am wondering what my options are here, of course I could just block all these IPs, but they always seem random and while few of them had more packets sent than others, they truly resemble as if they come from a quite huge botnet, therefore perhaps blocking them individually is not the way.

Would it be possible to create some rule to discard fragmented packets as such entirely, or to use some information within the packet structure to discard it straight away? I guess it would still cause some flooding, but if a good rule is written for this, I suppose it won't have the same impact as previously, since the router won't have to process the packet.

Thanks for reading, have a great day

Change firewall rules that say REJECT to DROP. The router should stop sending ICMP Errors back.

Let us kno if your usage is better if it happens again.

Lastly, how did you record this traffic into some Wireshark-compatiable format during the game (it matters)?

Thanks for the advice, indeed i already set it to DROP. And used the sshdump plugin on wireshark and the tcpdump package in openwrt

Next, have you ruled out this traffic as the other gamers (e.g. some versions of CoD in the past and other games - pick a player to "host" the game, send traffic/voice/messages in game, etc).

  • Does your game do some P2P matching, chat, etc.?
  • Do you use a sepatare stream or chat system during the game that might cause that?

In other words, yes I think this traffic doesn't originate from within the game itself, it was from a wide range of IPs, some being reported for participating in botnet most not.