Blocking UDP dictionary attack

I am running OpenVPN. I've started experiencing a 'dictionary attack' -
someone is determined to get in. This is more of a nuisance than
anything, but I would like to figure out a way to block UDP attacks,
similar to the SSH blocks.

They've been hitting me twice a second for days now. I'm getting annoyed.

UDP is stateless though - any way to figure out how to block these
attacks at the firewall?

--Yan

CptDondo <(E-Mail Removed)> writes:

> I am running OpenVPN. I've started experiencing a 'dictionary attack' -
> someone is determined to get in. This is more of a nuisance than
> anything, but I would like to figure out a way to block UDP attacks,
> similar to the SSH blocks.
>
> They've been hitting me twice a second for days now. I'm getting annoyed.
>
> UDP is stateless though - any way to figure out how to block these
> attacks at the firewall?

Are they coming from a single IP address? That could be filtered.

Another option is to move your openvpn to a nonstandard port, and
leave them a honeypot at the standard port to break in to.

CptDondo wrote:
> I am running OpenVPN. I've started experiencing a 'dictionary attack' -
> someone is determined to get in. This is more of a nuisance than
> anything, but I would like to figure out a way to block UDP attacks,
> similar to the SSH blocks.
>
> They've been hitting me twice a second for days now. I'm getting annoyed.
>
> UDP is stateless though - any way to figure out how to block these
> attacks at the firewall?
>
> --Yan

can't wait to see someone block the insane idiot with the cross posts of
M'I5!

CptDondo <(E-Mail Removed)> wrote:
> I am running OpenVPN. I've started experiencing a 'dictionary attack' -
> someone is determined to get in. [...]

> UDP is stateless though - any way to figure out how to block these
> attacks at the firewall?

I don't think you can block them at the firewall - unless you can do
some IP based filtering. (Perhaps you know the IP address range for
legitimate OpenVPN connections.)

On the other hand, OpenVPN already has a pre-authentication feature;
take a look at HMAC authentication and the --tls-auth option. Does this
help you at all?

Chris

CptDondo wrote:
> I am running OpenVPN. I've started experiencing a 'dictionary attack' -
> someone is determined to get in. This is more of a nuisance than
> anything, but I would like to figure out a way to block UDP attacks,
> similar to the SSH blocks.
>
> They've been hitting me twice a second for days now. I'm getting annoyed.
>
> UDP is stateless though - any way to figure out how to block these
> attacks at the firewall?
>
> --Yan

A very practical way to hinder dictionary attacks is to put limits on
the connection rate for the incoming non-related packets. I can't
remember the iptables syntax for this (I use shorewall on my firewall,
which makes it a bit easier to get all the rules right), but I'm sure
google will help (http://www.debian-administration.org/articles/187 for
example). Limiting incoming traffic to, say, 3 new connections per
minute with a burst of 3 will make most dictionary attackers give up
quickly - the attack would just take too long to succeed.

It's a little odd that you are getting this sort of attack on openvpn
ports, however - openvpn normally uses certificates and is therefore
immune to dictionary attacks. It's more common on ssh ports and other
password-based authentication.