[cod] Query limiting...

escapedturkey escapedturkey at escapedturkey.com
Mon Oct 31 12:36:04 EDT 2011


Would the new unofficial COD 4 patch start to affect hlsw queries? A client
says it shows lag spikes but when he is in the server it's smooth and zero
lag. Any connection?

On Sun, Oct 30, 2011 at 6:24 AM, Marco Padovan <evcz at evcz.tk> wrote:

>  As discussed in a previous email on this list I think you have many
> possibilities:
>
> - a linux/bsd gateway and do the filtering there
> or
> - run linux on the bare metal machines filtering the incoming traffic with
> iptables and put windows within a virtual machine
> or
> - deploy specific high end hardware firewalls and filter the attacks
> directly on the network gears regardless of the operating systems
>
> good luck on windows
>
> Il 30/10/2011 02:24, Brandon R. Miller ha scritto:
>
> Best way to block these attacks on Windows?
>
>  - Brandon M.
>
> On 10/27/2011 7:02 AM, Marco Padovan wrote:
>
> enemy territory suffer (and has sufferend in the past) of the exact same
> attack... I was having et servers targeted with 1k pps alone....
> cod2 was abused in the past too... they just started hitting again
> recently... it's nothing exceptionally new :(
>
> I think that for our own safety we should filters all the attacks at
> network level... as even if cod2 was patched they would move to cod2 1.0,
> then cod1 then et... it's like a never ending story :)
> (We are not only reflectors but one day we all could also became
> targets... and maybe our own servers could be taking part to the attack
> against themselfs)
>
> We all (as servers admins) could even consider in setting up something
> like dshield for those who cannot dynamically filter the incoming
> reflections requests...
>
> Our goal shouldn't be just to not avoid overloading our server instances
> with unwanted queries request but also to protect ourself.
>
> I do not know what is the current tech situation into the gameserver
> market but in the past I heard many people running linux boxes with the
> iptables modules blacklisted "because it lower performance"
> Is this still the case? :|
>
> Additionally: can people with AS like you (i3d) or mpuk or other big
> players track down these spoof sources?
>
> by the way:
> currently spoofed ip targeting cod2:
> 184.154.231.14 (port 80) - attack detected at 13:50 CET
> spoofed packet TTL is 116
> pps decently high...
>
> Il 27/10/2011 13:29, i3D.net - Stefan Ideler ha scritto:
>
> Hi,
>
> I'm seeing the same, where cod2 servers are now being abused for this
> purpose.
> As such a patch, even if untested/very much beta,  would be greatly
> appreciated.
>
> Best regards,
>
> Stefan Ideler
>
>  ------------------------------
> *From:* Luca Farflame Fabbro [mailto:farflame at cybergames.it<farflame at cybergames.it>
> ]
> *To:* Call of Duty server admin list. [mailto:cod at icculus.org<cod at icculus.org>
> ]
> *Sent:* Tue, 25 Oct 2011 12:43:36 +0200
> *Subject:* Re: [cod] Query limiting...
>
> Hi Ryan
> in one of your previous messages you mentioned that this patch can be
> "ported" also to the other COD servers. Is there any plan to do this?
> Now it seems that even if the server are less in number they target the
> COD2 servers to do the DDOS attacks. Don't have any COD server running so I
> don't know if also those are used as reflectors.
>
> Just one simple question regarding the patch fort the COD4 server.
> If you leave the server up'n running for a certain period of time (no
> restart for 3 weeks let's say) it seems that when the
> sv_queryIgnoreMegs
> limit is reached (our servers don't have a lot of players) the server
> starts to reply to the query with the spoofed IP's. A restart of the server
> solves the problem.
> I know that it will be better to restart the server before that time but
> would it be a possible solution to flush the stored bad IP's and restart
> the check on the new incoming packets when the predefined memory is full or
> just before this happens (% or minimum sv-ignore free memory)? Usually the
> attackers use the server as a reflector only for a certain amount of time
> (form 1 hour or less to a maximum of 2 - 3 days) then a lot of time will
> pass before having the same IP used as destination of the DDOS attack.
>
> Regards
> Luca
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>


-- 
EscapedTurkey.com Billing and Support
https://www.escapedturkey.com/helpdesk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111031/94acbc97/attachment.htm>


More information about the cod mailing list