====== Protection against UDP flood attack ====== {{indexmenu_n>3}} This attack is handled by fragmented UDP packets. The target system has to spend a lot of resources to assemble and analyse them. The protection is carried out by disabling of unnecessary protocols on the site under protection. You can learn how to configure the protocol's filter here: [[dpi:dpi_options:opt_priority:priority_config|configuring priorities]]. For a typical WEB site under protection, the required protocols are HTTP and HTTPS. Therefore the proper configuration looks like this: http cs0 https cs0 default drop To convert the ready configuration file into the internal format and to send it to DPI: cat my_dscp.txt|lst2dscp protocols.dscp mv protocols.dscp /etc/dpi/protocols.dscp service fastdpi reload The protection against DDos attack of DNS/NTP amplification type can be arranged similarly. This attack overloads the incoming channel by the traffic that exceeds the channel's capabilities. The operation of this protection is limited by operator's ability to provide additional channel capacity. If the inbound traffic exceeds this capacity, one has to rent additional channels or redirect the traffic to dedicated services that provide a protection against such attacks. They rent very wide channels to exceed the capabilities of DDoS attacks.