[cod] Problem with UDP flood
Andrej Parovel
aparovel at gmail.com
Fri Apr 13 14:09:29 EDT 2012
Hello,
I have followed your directions about UDP flood for Call of Duty servers
and installed a blocking iptables script (you can check it down) but I
am still reciving a lot of UDP traffic on my server.
Before I had a lot of outgoing traffic now I am having a lot of incoming
traffic. Any help?
Date-from Date-to GBBytes-IN GBBytes-OUT GBBytes-TOTAL
01.01.2012 00:00
<http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.01.html>
01.02.2012 00:00 1.181 4.672 5.853
01.02.2012 00:00
<http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.02.html>
01.03.2012 00:00 *1.688* 110 1.797
01.03.2012 00:00
<http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.03.html>
01.04.2012 00:00 *2.551* 112 2.663
01.04.2012 00:00
<http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.04.html>
01.05.2012 00:00 *4.763* 38 4.801
? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987 on
eth0
?
? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987 on
eth0
?
? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975 on
eth0
?
? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973 on
eth0
?
? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977 on
eth0
?
? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977 on
eth0
?
? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973 on
eth0
?
? UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987 on eth0
Here is my iptables script:
/sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
/sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
/sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
/sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
--name getstatus_cod
/sbin/iptables -A INPUT -p UDP -m string --algo bm --string "getstatus"
-m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
# add a host to the banlist and then drop the packet.
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
# is this a query packet? if so, block commonly attacked ports outright,
# then see if it's a known attacking IP, then see if it is sending at a high
# rate and should be added to the list of known attacking IPs.
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo
bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
# is it already blocked? continue blocking it and update the counter so it
# gets blocked for at least another 30 seconds.
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
--seconds 30 --hitcount 1 -j DROP
# check to see if it exceeds our rate threshold,
# and add it to the list if it does.
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 4/second -j QUERY-BLOCK
# look at all the packets going to q3/cod*/et/etc servers
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
--
Andrej
+386 31 247 707
aparovel at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120413/18a3fa15/attachment.htm>
More information about the cod
mailing list