[cod] Query limiting...
NewLight Systems
nls at newlightsystems.com
Tue Oct 25 10:50:48 EDT 2011
Yes this is a big trouble.
Upgrading network speed isn't a solution, due the fact that this is very
expensive solution for a gameserver machines. We don't need more than
100 MBPS.
The only sollution as you mention is nullroute in front of our router,
so packets won't get router and no services are affected.
Hardware firewall is Ok but the attack is going anyway to the firewall
so, line occupied. Damn zombie machines and botnets..
Well we are a game server provider, so we have several different
servers. Most attacked ones nowadays are COD2, ET and some Cstrike ones
El 25/10/11 16:39, Marco Padovan escribió:
>
> Ouch :-\
> Once targeted I think there's nothing to do except to increase the
> uplink speed :-(
>
> Unlucky in case of cod4 servers certain times even 1gbit links weren't
> enough... I think only 10ge can handle it based on the number of cod4
> servers online :-(
> At that point one would need some hardcore hardware firewall to filter
> them out unless you just drop any udp packet bigger then 600bytes :-(
>
> Only viable solution might be the usual one: nullroute :-/
>
> (As targets I generally see garry's mods servers, what kind of
> services are you currently being targeted? )
>
> Il giorno 25/ott/2011 16:28, "NewLight Systems"
> <nls at newlightsystems.com <mailto:nls at newlightsystems.com>> ha scritto:
>
> Hi,
>
> the second one, we are being target of attacks. I have seen COD2
> and ET ports attacked.
>
> The problem is that there are UDP attacks, so the perform is not
> affected but servers are connected to 100 MBPS and attacks are
> distributed, so more than 90 MBPS inbound traffic is affecting the
> network performance of that concrete machine
>
> El 25/10/11 16:18, Marco Padovan escribió:
>> Are you talking about being exploited as reflector or as being
>> target of the attacks?
>>
>> If it's the first case one of our mostly exploited machines is
>> being targeted with something like 10k pps: after filtering _ALL_
>> the malicious traffic the machine performance is not affected...
>> we have seen way higher PPS rates against cod4 in the past...
>> What PPS rate are you getting? What are the machine specs?
>> Is it being affected due to the iptables rules or are malicious
>> packets still leaking and reaching the gameservers ports?
>>
>> Il 25/10/2011 15:49, NewLight Systems ha scritto:
>>> Same problems here, the problem is that even with iptables the
>>> incoming traffic is affecting the machine
>>>
>>> El 25/10/11 12:47, Marco Padovan escribió:
>>>> I can confirm that since the day before yesterday I started to
>>>> receive alerts from the firewall about cod2 attacks too.
>>>>
>>>> In the past (up to 3months ago) enemy territory was another
>>>> heavily targeted game.
>>>>
>>>> Il 25/10/2011 12:43, Luca Farflame Fabbro ha scritto:
>>>>> Hi Ryan
>>>>> in one of your previous messages you mentioned that this patch can be "ported" also to the other COD servers. Is there any plan to do this?
>>>>> Now it seems that even if the server are less in number they target the COD2 servers to do the DDOS attacks. Don't have any COD server running so I don't know if also those are used as reflectors.
>>>>>
>>>>> Just one simple question regarding the patch fort the COD4 server.
>>>>> If you leave the server up'n running for a certain period of time (no restart for 3 weeks let's say) it seems that when the
>>>>> sv_queryIgnoreMegs
>>>>> limit is reached (our servers don't have a lot of players) the server starts to reply to the query with the spoofed IP's. A restart of the server solves the problem.
>>>>> I know that it will be better to restart the server before that time but would it be a possible solution to flush the stored bad IP's and restart the check on the new incoming packets when the predefined memory is full or just before this happens (% or minimum sv-ignore free memory)? Usually the attackers use the server as a reflector only for a certain amount of time (form 1 hour or less to a maximum of 2 - 3 days) then a lot of time will pass before having the same IP used as destination of the DDOS attack.
>>>>>
>>>>> Regards
>>>>> Luca
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>
>>> --
>>>
>>>
>>> *David Aguilar Valero*
>>>
>>> Dpto. Comercial y Soporte técnico
>>>
>>> NewLight Systems
>>>
>>> *Servidores de juegos, HW, Dedicados*
>>>
>>>
>>> *crk01 at nls.es* <mailto:c>
>>>
>>> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>>>
>>> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>>>
>>> #NewLight_Systems @ irc-hispano.org <http://irc-hispano.org>
>>>
>>> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>>>
>>> *www.nls.es* <http://www.nls.es/>
>>>
>>> This email and any files or attachments transmitted with it are
>>> intended solely for the use of the intended recipient. This
>>> email is confidential and may contain legally privileged
>>> information. If you are not the intended recipient you should
>>> not read, disseminate, distribute, or copy this email. If you
>>> have received this email in error, please notify the sender
>>> immediately and delete it from your system.
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>
> --
>
>
> *David Aguilar Valero*
>
> Dpto. Comercial y Soporte técnico
>
> NewLight Systems
>
> *Servidores de juegos, HW, Dedicados*
>
>
> *crk01 at nls.es* <mailto:c>
>
> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>
> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>
> #NewLight_Systems @ irc-hispano.org <http://irc-hispano.org>
>
> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>
> *www.nls.es* <http://www.nls.es/>
>
> This email and any files or attachments transmitted with it are
> intended solely for the use of the intended recipient. This email
> is confidential and may contain legally privileged information. If
> you are not the intended recipient you should not read,
> disseminate, distribute, or copy this email. If you have received
> this email in error, please notify the sender immediately and
> delete it from your system.
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
--
*David Aguilar Valero*
Dpto. Comercial y Soporte técnico
NewLight Systems
*Servidores de juegos, HW, Dedicados*
*crk01 at nls.es* <mailto:c>
crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
#NewLight_Systems @ irc-hispano.org
*www.newlightsystems.com* <http://www.newlightsystems.com/>
*www.nls.es* <http://www.nls.es/>
This email and any files or attachments transmitted with it are intended
solely for the use of the intended recipient. This email is confidential
and may contain legally privileged information. If you are not the
intended recipient you should not read, disseminate, distribute, or copy
this email. If you have received this email in error, please notify the
sender immediately and delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111025/fb20caff/attachment-0001.htm>
More information about the cod
mailing list