[cod] Query limiting...

Marco Padovan evcz at evcz.tk
Thu Oct 27 08:02:14 EDT 2011 

enemy territory suffer (and has sufferend in the past) of the exact same
attack... I was having et servers targeted with 1k pps alone....
cod2 was abused in the past too... they just started hitting again
recently... it's nothing exceptionally new :(

I think that for our own safety we should filters all the attacks at
network level... as even if cod2 was patched they would move to cod2
1.0, then cod1 then et... it's like a never ending story :)
(We are not only reflectors but one day we all could also became
targets... and maybe our own servers could be taking part to the attack
against themselfs)

We all (as servers admins) could even consider in setting up something
like dshield for those who cannot dynamically filter the incoming
reflections requests...

Our goal shouldn't be just to not avoid overloading our server instances
with unwanted queries request but also to protect ourself.

I do not know what is the current tech situation into the gameserver
market but in the past I heard many people running linux boxes with the
iptables modules blacklisted "because it lower performance"
Is this still the case? :|

Additionally: can people with AS like you (i3d) or mpuk or other big
players track down these spoof sources?

by the way:
currently spoofed ip targeting cod2:
184.154.231.14 (port 80) - attack detected at 13:50 CET
spoofed packet TTL is 116
pps decently high...

Il 27/10/2011 13:29, i3D.net - Stefan Ideler ha scritto:
> Hi,
>
> I'm seeing the same, where cod2 servers are now being abused for this
> purpose.
> As such a patch, even if untested/very much beta,  would be greatly
> appreciated.
>
> Best regards,
>
> Stefan Ideler
>
>     ------------------------------------------------------------------------
>     *From:* Luca Farflame Fabbro [mailto:farflame at cybergames.it]
>     *To:* Call of Duty server admin list. [mailto:cod at icculus.org]
>     *Sent:* Tue, 25 Oct 2011 12:43:36 +0200
>     *Subject:* Re: [cod] Query limiting...
>
>     Hi Ryan
>     in one of your previous messages you mentioned that this patch can
>     be "ported" also to the other COD servers. Is there any plan to do
>     this?
>     Now it seems that even if the server are less in number they
>     target the COD2 servers to do the DDOS attacks. Don't have any COD
>     server running so I don't know if also those are used as reflectors.
>
>     Just one simple question regarding the patch fort the COD4 server.
>     If you leave the server up'n running for a certain period of time
>     (no restart for 3 weeks let's say) it seems that when the
>     sv_queryIgnoreMegs
>     limit is reached (our servers don't have a lot of players) the
>     server starts to reply to the query with the spoofed IP's. A
>     restart of the server solves the problem.
>     I know that it will be better to restart the server before that
>     time but would it be a possible solution to flush the stored bad
>     IP's and restart the check on the new incoming packets when the
>     predefined memory is full or just before this happens (% or
>     minimum sv-ignore free memory)? Usually the attackers use the
>     server as a reflector only for a certain amount of time (form 1
>     hour or less to a maximum of 2 - 3 days) then a lot of time will
>     pass before having the same IP used as destination of the DDOS
>     attack.
>
>     Regards
>     Luca
>
>     _______________________________________________
>     cod mailing list
>     cod at icculus.org <mailto:cod at icculus.org>
>     http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111027/1738e9d5/attachment.htm>

More information about the cod mailing list