How to identify UDP based DoS

I’m running Counter-strike game server on 27015 UDP port. I’m using Amazon AWS to host game server.

I have added only my friend’s IP into security group so rest of the traffic is always blocked.

My enemy is using IP spoofing trick. He is spoofing my friend’s IP and sending UDP flood.

He sends it from 3-4 IPs.

What I’m currently doing is that, I’m capturing IPs in TCPdump and blocking manually.

For example,

I capture packets using tcpdump and then I save it in pcap file.

And then I analyze that file and I check for length of the packet.

If incoming packet length is more than 600 then I manually block IP.

0.007450 → UDP 240 27015 → 54491 Len=991

But it takes too long to do this manually. :/

Is it possible to get those IPs using shell script or something so I can block that IP.