I am using a Debian 6 - 64bit OS and my server is ddosed/flooded through udp protocol from time to time. I basically host game-servers and my firewall is set to rate-limit the packets on allowed ports but sometimes the rate per IP is low but the number of IPs are more so my server sends outgoing icmp unreachable replies to the attacking IP which does no benefit but chokes/saturates the port even more.
I'm looking on how to disable this feature. Actually the ports that get attacked are allowed through firewall and I can't disable them although it would solve the issue. I run a number of servers over some port ranges so I can't continually keep accepting these ports one by one and decided to allow the total port range I might require.
I'm looking at some kernel ability to stop this?
To prevent ICMP unreachable packets being sent, you can drop them using netfilter (iptables):
Better is to prevent them being generated in the first place by using the DROP target on the INPUT traffic, rather than REJECT (or nothing where the kernel networking stack will create the unreachable reply rather than netfilter)
I don't think this will resolve your issues though; you need to identify what impact the DDoS is having; is it saturating the network or consuming system resources (CPU/memory etc). If it's network, then muting the replies may assist slightly, but you're still going to have the incoming packets on the wire.
The iptables target
REJECTcauses ICMP unreachable responses to be sent. Changing your target over toDROPwill cause the incoming packets to be silently black-holed.