Usually use iptables to drop the UDP fragmented packets, below is the iptables config example:
vi /etc/sysconfig/iptables
1 2 3 4 |
-A INPUT -i eth1 -p udp -m udp -m multiport --dports 19,53,111,123,161,1121,1900 -j DROP -A INPUT -i eth1 -p udp -m udp -m multiport --sports 19,53,111,123,161,1121,1900 -j DROP -A OUTPUT -o eth1 -p udp -m udp -m multiport --dports 19,53,111,123,161,1121,1900 -j DROP -A OUTPUT -o eth1 -p udp -m udp -m multiport --sports 19,53,111,123,161,1121,1900 -j DROP |
Reference:
1 HOW TO DEFEND AGAINST AMPLIFIED REFLECTION DDOS ATTACKS
2 DDoS attacks – an explanation of amplified reflective UDP-based attacks