[cod] Query limiting...

Marco Padovan evcz at evcz.tk
Tue Oct 25 10:39:24 EDT 2011 

Ouch :-\
Once targeted I think there's nothing to do except to increase the uplink
speed :-(

Unlucky in case of cod4 servers certain times even 1gbit links weren't
enough... I think only 10ge can handle it based on the number of cod4
servers online :-(
At that point one would need some hardcore hardware firewall to filter them
out unless you just drop any udp packet bigger then 600bytes :-(

Only viable solution might be the usual one: nullroute :-/

(As targets I generally see garry's mods servers, what kind of services are
you currently being targeted? )
Il giorno 25/ott/2011 16:28, "NewLight Systems" <nls at newlightsystems.com> ha
scritto:

>  Hi,
>
> the second one, we are being target of attacks. I have seen COD2 and ET
> ports attacked.
>
> The problem is that there are UDP attacks, so the perform is not affected
> but servers are connected to 100 MBPS and attacks are distributed, so more
> than 90 MBPS inbound traffic is affecting the network performance of that
> concrete machine
>
> El 25/10/11 16:18, Marco Padovan escribió:
>
> Are you talking about being exploited as reflector or as being target of
> the attacks?
>
> If it's the first case one of our mostly exploited machines is being
> targeted with something like 10k pps: after filtering _ALL_ the malicious
> traffic the machine performance is not affected... we have seen way higher
> PPS rates against cod4 in the past...
> What PPS rate are you getting? What are the machine specs?
> Is it being affected due to the iptables rules or are malicious packets
> still leaking and reaching the gameservers ports?
>
> Il 25/10/2011 15:49, NewLight Systems ha scritto:
>
> Same problems here, the problem is that even with iptables the incoming
> traffic is affecting the machine
>
> El 25/10/11 12:47, Marco Padovan escribió:
>
> I can confirm that since the day before yesterday I started to receive
> alerts from the firewall about cod2 attacks too.
>
> In the past (up to 3months ago) enemy territory was another heavily
> targeted game.
>
> Il 25/10/2011 12:43, Luca Farflame Fabbro ha scritto:
>
> Hi Ryan
> 	in one of your previous messages you mentioned that this patch can be "ported" also to the other COD servers. Is there any plan to do this?
> Now it seems that even if the server are less in number they target the COD2 servers to do the DDOS attacks. Don't have any COD server running so I don't know if also those are used as reflectors.
>
> Just one simple question  regarding the patch fort the COD4 server.
> If you leave the server up'n running for a certain period of time (no restart for 3 weeks let's say) it seems that when the
> sv_queryIgnoreMegs
> limit is reached (our servers don't have a lot of players) the server starts to reply to the query with the spoofed IP's. A restart of the server solves the problem.
> I know that it will be better to restart the server before that time but would it be a possible solution to flush the stored bad IP's and restart the check on the new incoming packets when the predefined memory is full or just before this happens (% or minimum sv-ignore free memory)? Usually the attackers use the server as a reflector only for a certain amount of time (form 1 hour or less to a maximum of 2 - 3 days) then a lot of time will pass before having the same IP used as destination of the DDOS attack.
>
> Regards
> 	Luca
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
> --
>
>
>  *David Aguilar Valero*
>
> Dpto. Comercial y Soporte técnico
>
> NewLight Systems
>
> *Servidores de juegos, HW, Dedicados*
>
>
>  *crk01 at nls.es* <c>
>
> crk01 at newlightsystems.com
>
> tecnico at newlightsystems.com
>
> #NewLight_Systems @ irc-hispano.org
>
> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>
> *www.nls.es* <http://www.nls.es/>
>
> This email and any files or attachments transmitted with it are intended
> solely for the use of the intended recipient. This email is confidential and
> may contain legally privileged information. If you are not the intended
> recipient you should not read, disseminate, distribute, or copy this email.
> If you have received this email in error, please notify the sender
> immediately and delete it from your system.
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
> --
>
>
>  *David Aguilar Valero*
>
> Dpto. Comercial y Soporte técnico
>
> NewLight Systems
>
> *Servidores de juegos, HW, Dedicados*
>
>
>  *crk01 at nls.es* <c>
>
> crk01 at newlightsystems.com
>
> tecnico at newlightsystems.com
>
> #NewLight_Systems @ irc-hispano.org
>
> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>
> *www.nls.es* <http://www.nls.es/>
>
> This email and any files or attachments transmitted with it are intended
> solely for the use of the intended recipient. This email is confidential and
> may contain legally privileged information. If you are not the intended
> recipient you should not read, disseminate, distribute, or copy this email.
> If you have received this email in error, please notify the sender
> immediately and delete it from your system.
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111025/3f048bab/attachment.htm>

More information about the cod mailing list