[cod] Query limiting...

Tue Oct 25 11:22:54 EDT 2011

:-(

I work for a gsp too and we had to get gbit pipes on most locations :-(

They say "iptables ... -j mirror" is bad... So the best way to let the
reflectors operators attention is to write to the abuse desk of their
suppliers: certain are sensible to the matter...

They either need to filter the incoming spoofed packets or force the
reflectors to stop "attacking"...
Il giorno 25/ott/2011 16:50, "NewLight Systems" <nls at newlightsystems.com> ha
scritto:

>  Yes this is a big trouble.
>
> Upgrading network speed isn't a solution, due the fact that this is very
> expensive solution for a gameserver machines. We don't need more than 100
> MBPS.
>
> The only sollution as you mention is nullroute in front of our router, so
> packets won't get router and no services are affected.
>
> Hardware firewall is Ok but the attack is going anyway to the firewall so,
> line occupied. Damn zombie machines and botnets..
>
> Well we are a game server provider, so we have several different servers.
> Most attacked ones nowadays are COD2, ET and some Cstrike ones
>
> El 25/10/11 16:39, Marco Padovan escribió:
>
> Ouch :-\
> Once targeted I think there's nothing to do except to increase the uplink
> speed :-(
>
> Unlucky in case of cod4 servers certain times even 1gbit links weren't
> enough... I think only 10ge can handle it based on the number of cod4
> servers online :-(
> At that point one would need some hardcore hardware firewall to filter them
> out unless you just drop any udp packet bigger then 600bytes :-(
>
> Only viable solution might be the usual one: nullroute :-/
>
> (As targets I generally see garry's mods servers, what kind of services are
> you currently being targeted? )
> Il giorno 25/ott/2011 16:28, "NewLight Systems" <nls at newlightsystems.com>
> ha scritto:
>
>>  Hi,
>>
>> the second one, we are being target of attacks. I have seen COD2 and ET
>> ports attacked.
>>
>> The problem is that there are UDP attacks, so the perform is not affected
>> but servers are connected to 100 MBPS and attacks are distributed, so more
>> than 90 MBPS inbound traffic is affecting the network performance of that
>> concrete machine
>>
>> El 25/10/11 16:18, Marco Padovan escribió:
>>
>> Are you talking about being exploited as reflector or as being target of
>> the attacks?
>>
>> If it's the first case one of our mostly exploited machines is being
>> targeted with something like 10k pps: after filtering _ALL_ the malicious
>> traffic the machine performance is not affected... we have seen way higher
>> PPS rates against cod4 in the past...
>> What PPS rate are you getting? What are the machine specs?
>> Is it being affected due to the iptables rules or are malicious packets
>> still leaking and reaching the gameservers ports?
>>
>> Il 25/10/2011 15:49, NewLight Systems ha scritto:
>>
>> Same problems here, the problem is that even with iptables the incoming
>> traffic is affecting the machine
>>
>> El 25/10/11 12:47, Marco Padovan escribió:
>>
>> I can confirm that since the day before yesterday I started to receive
>> alerts from the firewall about cod2 attacks too.
>>
>> In the past (up to 3months ago) enemy territory was another heavily
>> targeted game.
>>
>> Il 25/10/2011 12:43, Luca Farflame Fabbro ha scritto:
>>
>> Hi Ryan
>> 	in one of your previous messages you mentioned that this patch can be "ported" also to the other COD servers. Is there any plan to do this?
>> Now it seems that even if the server are less in number they target the COD2 servers to do the DDOS attacks. Don't have any COD server running so I don't know if also those are used as reflectors.
>>
>> Just one simple question  regarding the patch fort the COD4 server.
>> If you leave the server up'n running for a certain period of time (no restart for 3 weeks let's say) it seems that when the
>> sv_queryIgnoreMegs
>> limit is reached (our servers don't have a lot of players) the server starts to reply to the query with the spoofed IP's. A restart of the server solves the problem.
>> I know that it will be better to restart the server before that time but would it be a possible solution to flush the stored bad IP's and restart the check on the new incoming packets when the predefined memory is full or just before this happens (% or minimum sv-ignore free memory)? Usually the attackers use the server as a reflector only for a certain amount of time (form 1 hour or less to a maximum of 2 - 3 days) then a lot of time will pass before having the same IP used as destination of the DDOS attack.
>>
>> Regards
>> 	Luca
>>
>> _______________________________________________
>> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>>
>>
>> --
>>
>>
>>  *David Aguilar Valero*
>>
>> Dpto. Comercial y Soporte técnico
>>
>> NewLight Systems
>>
>> *Servidores de juegos, HW, Dedicados*
>>
>>
>>  *crk01 at nls.es* <c>
>>
>> crk01 at newlightsystems.com
>>
>> tecnico at newlightsystems.com
>>
>> #NewLight_Systems @ irc-hispano.org
>>
>> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>>
>> *www.nls.es* <http://www.nls.es/>
>>
>> This email and any files or attachments transmitted with it are intended
>> solely for the use of the intended recipient. This email is confidential and
>> may contain legally privileged information. If you are not the intended
>> recipient you should not read, disseminate, distribute, or copy this email.
>> If you have received this email in error, please notify the sender
>> immediately and delete it from your system.
>>
>>
>> _______________________________________________
>> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>>
>>
>> --
>>
>>
>>  *David Aguilar Valero*
>>
>> Dpto. Comercial y Soporte técnico
>>
>> NewLight Systems
>>
>> *Servidores de juegos, HW, Dedicados*
>>
>>
>>  *crk01 at nls.es* <c>
>>
>> crk01 at newlightsystems.com
>>
>> tecnico at newlightsystems.com
>>
>> #NewLight_Systems @ irc-hispano.org
>>
>> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>>
>> *www.nls.es* <http://www.nls.es/>
>>
>> This email and any files or attachments transmitted with it are intended
>> solely for the use of the intended recipient. This email is confidential and
>> may contain legally privileged information. If you are not the intended
>> recipient you should not read, disseminate, distribute, or copy this email.
>> If you have received this email in error, please notify the sender
>> immediately and delete it from your system.
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
> --
>
>
>  *David Aguilar Valero*
>
> Dpto. Comercial y Soporte técnico
>
> NewLight Systems
>
> *Servidores de juegos, HW, Dedicados*
>
>
>  *crk01 at nls.es* <c>
>
> crk01 at newlightsystems.com
>
> tecnico at newlightsystems.com
>
> #NewLight_Systems @ irc-hispano.org
>
> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>
> *www.nls.es* <http://www.nls.es/>
>
> This email and any files or attachments transmitted with it are intended
> solely for the use of the intended recipient. This email is confidential and
> may contain legally privileged information. If you are not the intended
> recipient you should not read, disseminate, distribute, or copy this email.
> If you have received this email in error, please notify the sender
> immediately and delete it from your system.
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111025/590f9ceb/attachment-0001.htm>