[cod] Query limiting...

Geoff Goas gitman at gmail.com
Mon Aug 1 17:48:26 EDT 2011

Ryan, this isn't limited to just COD4 servers, is it?


On Mon, Aug 1, 2011 at 4:54 PM, Ryan C. Gordon <icculus at icculus.org> wrote:

> So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server replies with
> a larger packet to the faked address. Multiply this by however fast you can
> stuff UDP packets into the server's incoming packet buffer per frame, times
> 7500+ public COD4 servers, and you can really bring a victim to its knees
> with a serious flood of unwanted packets.
> I've got a patch for COD4 for this, and I need admins to test it before I
> make an official release.
>   http://treefort.icculus.org/**cod/cod4-lnxsrv-query-limit-**test.tar.bz2<http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2>
> You'll need a server updated to 1.7 before applying this, because this is
> only a replacement cod4_lnxded file. The defaults for the new cvars are
> probably fine, but you can tweak them as you like.
> If you want to see it in action, find your patched server in the in-game
> server browser, click "Server Info" and keep hitting refresh. If you're
> doing it faster than the limit, you'll see you don't get a response right
> away.
> All this info is in README.linux in that tarball, but I'll post it here,
> too:
> *******
> About query limits:
> There is a class of DDoS attack that can utilize COD4 servers to flood a
> third party, by spoofing UDP packets so that the game server sends its reply
> for information to an unsuspecting party, over and over, as fast as it can.
> Unlike most packets sent by the server, this reply packet does not require a
> player with a legitimate connection before sending.
> This patch sets up some reasonable defaults to limit the rate at which the
> server will send these reply packets to a given IP address. It does not
> throttle legitimate connections in the process.
> The gist is this: If someone sends a query packet, we note their IP address
> and ignore any further queries for X seconds. If they send a
> port-unreachable packet (person being spoofed isn't playing the game), we
> ignore their IP address for Y seconds. This will let normal people play, it
> prevents people that don't have a legitimate player connection from flooding
> the server with queries, and it'll stop DDoS attacks against third parties.
> If millions of computers try to wail on a single server, this patch should
> handle it gracefully (we don't allocate memory when adding IP addresses to
> the ignore list, we use a hashtable so we don't have to check millions of IP
> addresses for every query, and we clean out old addresses a little each
> frame).
> People that are connected to the server don't have their packets ignored;
> this only limits server responses to packets that don't need a valid player
> connection (like the infostring, etc). LAN addresses are never limited.
> Admins can tune it (and turn it off completely) with cvars.
> Note that a single IP address using different ports all get lumped into the
> same ignore list entry. This is to make life difficult for attackers and
> keep things efficient on the server. If 16 players are all behind the same
> NAT, they might notice it takes longer for the server to respond to each of
> them individually at the start. They should run a LAN server anyhow, but
> gameplay will still perform normally here.
> Server admins have 4 cvars to control this:
> sv_queryIgnoreDebug: set to 1 to log information about attacks. This will
> write out a lot of logging. Defaults to 0.
> sv_queryIgnoreMegs: Number of megabytes we should use to store the ignore
> list. Set to 0 to turn off the ignore list (basically disables this patch).
> 1 megabyte handles about 65000 IP addresses, each megabyte after the first
> adds about 87000 more. 1 is probably fine unless you're under serious
> attack, but maybe a server wants to spare 12 megs to block a million IP
> addresses simultaneously.  :)  Defaults to 1.
> sv_queryIgnoreTime: Number of milliseconds to ignore an IP address's info
> requests after responding to one of them. Set to 0 to not ignore at all.
> Defaults to 2000 (2 seconds).
> sv_queryBounceIgnoreTime: Number of milliseconds to ignore an IP address's
> info requests after a server packet bounced with an ICMP Port Unreachable
> notice. Set to 0 to not ignore at all. Defaults to 12000 (2 _minutes_).
> *******
> Please note that I haven't touched this code since 2008, so even though the
> changes are relatively localized, don't blast this out to all your servers
> until you feel it's stable.
> Please give me feedback!
> Thanks,
> --ryan.
> ______________________________**_________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/**listinfo/cod<http://icculus.org/mailman/listinfo/cod>

*Geoff Goas
Systems Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20110801/d5e07a63/attachment.htm>

More information about the cod mailing list