# TCP Ack Flood ## TCP Ack Flood ## Sample Pcap Follow the [tcpdump](/openbsd/tcpdump) guide to record a pcap during an attack to analyze it. In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet. Here are some other packets: This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router... ## How to Block First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/. First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [BuyVM](openbsd/buyvm), check the [[web panel](/https://manage.buyvm.net) to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/. Using the [packet filter](/openbsd/pf) firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf: ext_ip="192.168.0.1" block drop quick proto udp from any to $ext_ip port 1900 A better solution is to block all udp packets except for a few ports that you whitelist: ext_ip="192.168.0.1" pass in quick proto udp to $ext_ip port {domain ntp} block drop quick proto udp to $ext_ip port 1900 This would whitelist DNS and NTP packets but drop all other UDP packets. ## See Also [DDoS Defense](/openbsd/Ddos)