[cod] Query limiting...

Marco Padovan evcz at evcz.tk
Sun Oct 30 06:24:15 EDT 2011 

As discussed in a previous email on this list I think you have many
possibilities:

- a linux/bsd gateway and do the filtering there
or
- run linux on the bare metal machines filtering the incoming traffic
with iptables and put windows within a virtual machine
or
- deploy specific high end hardware firewalls and filter the attacks
directly on the network gears regardless of the operating systems

good luck on windows

Il 30/10/2011 02:24, Brandon R. Miller ha scritto:
> Best way to block these attacks on Windows?
>
> - Brandon M.
>
> On 10/27/2011 7:02 AM, Marco Padovan wrote:
>> enemy territory suffer (and has sufferend in the past) of the exact
>> same attack... I was having et servers targeted with 1k pps alone....
>> cod2 was abused in the past too... they just started hitting again
>> recently... it's nothing exceptionally new :(
>>
>> I think that for our own safety we should filters all the attacks at
>> network level... as even if cod2 was patched they would move to cod2
>> 1.0, then cod1 then et... it's like a never ending story :)
>> (We are not only reflectors but one day we all could also became
>> targets... and maybe our own servers could be taking part to the
>> attack against themselfs)
>>
>> We all (as servers admins) could even consider in setting up
>> something like dshield for those who cannot dynamically filter the
>> incoming reflections requests...
>>
>> Our goal shouldn't be just to not avoid overloading our server
>> instances with unwanted queries request but also to protect ourself.
>>
>> I do not know what is the current tech situation into the gameserver
>> market but in the past I heard many people running linux boxes with
>> the iptables modules blacklisted "because it lower performance"
>> Is this still the case? :|
>>
>> Additionally: can people with AS like you (i3d) or mpuk or other big
>> players track down these spoof sources?
>>
>> by the way:
>> currently spoofed ip targeting cod2:
>> 184.154.231.14 (port 80) - attack detected at 13:50 CET
>> spoofed packet TTL is 116
>> pps decently high...
>>
>> Il 27/10/2011 13:29, i3D.net - Stefan Ideler ha scritto:
>>> Hi,
>>>
>>> I'm seeing the same, where cod2 servers are now being abused for
>>> this purpose.
>>> As such a patch, even if untested/very much beta,  would be greatly
>>> appreciated.
>>>
>>> Best regards,
>>>
>>> Stefan Ideler
>>>
>>>     ------------------------------------------------------------------------
>>>     *From:* Luca Farflame Fabbro [mailto:farflame at cybergames.it]
>>>     *To:* Call of Duty server admin list. [mailto:cod at icculus.org]
>>>     *Sent:* Tue, 25 Oct 2011 12:43:36 +0200
>>>     *Subject:* Re: [cod] Query limiting...
>>>
>>>     Hi Ryan
>>>     in one of your previous messages you mentioned that this patch
>>>     can be "ported" also to the other COD servers. Is there any plan
>>>     to do this?
>>>     Now it seems that even if the server are less in number they
>>>     target the COD2 servers to do the DDOS attacks. Don't have any
>>>     COD server running so I don't know if also those are used as
>>>     reflectors.
>>>
>>>     Just one simple question regarding the patch fort the COD4 server.
>>>     If you leave the server up'n running for a certain period of
>>>     time (no restart for 3 weeks let's say) it seems that when the
>>>     sv_queryIgnoreMegs
>>>     limit is reached (our servers don't have a lot of players) the
>>>     server starts to reply to the query with the spoofed IP's. A
>>>     restart of the server solves the problem.
>>>     I know that it will be better to restart the server before that
>>>     time but would it be a possible solution to flush the stored bad
>>>     IP's and restart the check on the new incoming packets when the
>>>     predefined memory is full or just before this happens (% or
>>>     minimum sv-ignore free memory)? Usually the attackers use the
>>>     server as a reflector only for a certain amount of time (form 1
>>>     hour or less to a maximum of 2 - 3 days) then a lot of time will
>>>     pass before having the same IP used as destination of the DDOS
>>>     attack.
>>>
>>>     Regards
>>>     Luca
>>>
>>>     _______________________________________________
>>>     cod mailing list
>>>     cod at icculus.org <mailto:cod at icculus.org>
>>>     http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111030/02492ae1/attachment.htm>

More information about the cod mailing list