udp flood attack

[nango]

Hi
I received an email from data center last nigh, and they told me you have udp huge attack, and they closed all my UDP now.

2011-02-     20:22:26     alert     x.x.x.x     94.23.35.98        anomaly: udp_flood, 2281 > threshold 800, repeats 136841 times

2011-02-     17:14:07     alert     x.x.x.x     46.19.136.100     anomaly: udp_flood, 1457 > threshold 800, repeats 113643

I'm running CentOS5 64bit, using APF as firewall.
I blocked this 2 IP, and on my apf open ports are:

# Common inbound (ingress) UDP ports
IG_UDP_CPORTS="20,21,53,"
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="21,212,25,53,80,443,110,143,2222,2525,35000_35999"

I tried rkhunter and did not fount any problem.
My question: how to find who or what is attacking me?
Then how to prevent?
Thanks to all.

 

[mr.applesauce]

Ask your isp to help filter the attacks. You are going to stop nothing with a software firewall.

 

[nango]

Thanks, but it seems attacker use my server to send packet to random servers.
They opened UDP for 24 Hrs. and after that will not open again.

 

[nango]

I reconfigured APF, but when with nmap I'm checking ports, closed port will show as open:
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
22/tcp open anet
443/tcp open https
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1018/tcp open unknown
3306/tcp open mysql