[cod] Query limiting...

Marco Padovan evcz at evcz.tk
Thu Oct 13 10:17:11 EDT 2011


Tried it in production: too many issues with the default settings...
HLSW was appearing constatly red :(

Can the cvars like sv_queryIgnoreMegs be changed on runtime via rcon or
server.cfg?

Is there a way to set a whitelist?

We are running some bots that manage the servers and do cleanup things
when they are left empty... with this patch enabled servers we
constantly appearing offline (forced restart!) or without users
(automatic restart, logs cleanup and so on)... this was causing a lot of
problems...

Il 01/08/2011 22:54, Ryan C. Gordon ha scritto:
>
> So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server
> replies with a larger packet to the faked address. Multiply this by
> however fast you can stuff UDP packets into the server's incoming
> packet buffer per frame, times 7500+ public COD4 servers, and you can
> really bring a victim to its knees with a serious flood of unwanted
> packets.
>
> I've got a patch for COD4 for this, and I need admins to test it
> before I make an official release.
>
>    http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
>
> You'll need a server updated to 1.7 before applying this, because this
> is only a replacement cod4_lnxded file. The defaults for the new cvars
> are probably fine, but you can tweak them as you like.
>
> If you want to see it in action, find your patched server in the
> in-game server browser, click "Server Info" and keep hitting refresh.
> If you're doing it faster than the limit, you'll see you don't get a
> response right away.
>
> All this info is in README.linux in that tarball, but I'll post it
> here, too:
>
> *******
>
> About query limits:
>
> There is a class of DDoS attack that can utilize COD4 servers to flood
> a third party, by spoofing UDP packets so that the game server sends
> its reply for information to an unsuspecting party, over and over, as
> fast as it can. Unlike most packets sent by the server, this reply
> packet does not require a player with a legitimate connection before
> sending.
>
> This patch sets up some reasonable defaults to limit the rate at which
> the server will send these reply packets to a given IP address. It
> does not throttle legitimate connections in the process.
>
> The gist is this: If someone sends a query packet, we note their IP
> address and ignore any further queries for X seconds. If they send a
> port-unreachable packet (person being spoofed isn't playing the game),
> we ignore their IP address for Y seconds. This will let normal people
> play, it prevents people that don't have a legitimate player
> connection from flooding the server with queries, and it'll stop DDoS
> attacks against third parties.
>
> If millions of computers try to wail on a single server, this patch
> should handle it gracefully (we don't allocate memory when adding IP
> addresses to the ignore list, we use a hashtable so we don't have to
> check millions of IP addresses for every query, and we clean out old
> addresses a little each frame).
>
> People that are connected to the server don't have their packets
> ignored; this only limits server responses to packets that don't need
> a valid player connection (like the infostring, etc). LAN addresses
> are never limited.
>
> Admins can tune it (and turn it off completely) with cvars.
>
> Note that a single IP address using different ports all get lumped
> into the same ignore list entry. This is to make life difficult for
> attackers and keep things efficient on the server. If 16 players are
> all behind the same NAT, they might notice it takes longer for the
> server to respond to each of them individually at the start. They
> should run a LAN server anyhow, but gameplay will still perform
> normally here.
>
> Server admins have 4 cvars to control this:
>
> sv_queryIgnoreDebug: set to 1 to log information about attacks. This
> will write out a lot of logging. Defaults to 0.
>
> sv_queryIgnoreMegs: Number of megabytes we should use to store the
> ignore list. Set to 0 to turn off the ignore list (basically disables
> this patch). 1 megabyte handles about 65000 IP addresses, each
> megabyte after the first adds about 87000 more. 1 is probably fine
> unless you're under serious attack, but maybe a server wants to spare
> 12 megs to block a million IP addresses simultaneously.  :)  Defaults
> to 1.
>
> sv_queryIgnoreTime: Number of milliseconds to ignore an IP address's
> info requests after responding to one of them. Set to 0 to not ignore
> at all. Defaults to 2000 (2 seconds).
>
> sv_queryBounceIgnoreTime: Number of milliseconds to ignore an IP
> address's info requests after a server packet bounced with an ICMP
> Port Unreachable notice. Set to 0 to not ignore at all. Defaults to
> 12000 (2 _minutes_).
>
> *******
>
>
> Please note that I haven't touched this code since 2008, so even
> though the changes are relatively localized, don't blast this out to
> all your servers until you feel it's stable.
>
> Please give me feedback!
>
> Thanks,
> --ryan.
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111013/38145adb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: <http://icculus.org/pipermail/cod/attachments/20111013/38145adb/attachment.pgp>


More information about the cod mailing list