[cod] Problem with UDP flood

John lists.cod at nuclearfallout.net
Fri Apr 13 15:00:07 EDT 2012


If you're running the iptables rules on the machine with the servers, 
you will still see inbound traffic from the requests. The advantage to 
the rules is that they'll prevent that traffic from reaching the 
application layer and being processed by your servers.

You can see the hit count for the iptables rules to make sure that 
they're working with this command (look for increasing numbers next to 
statements with the "DROP" action):

iptables -nv --list

-John

On 4/13/2012 11:09 AM, Andrej Parovel wrote:
> Hello,
>
> I have followed your directions about UDP flood for Call of Duty 
> servers and installed a blocking iptables script (you can check it 
> down) but I am still reciving a lot of UDP traffic on my server.
> Before I had a lot of outgoing traffic now I am having a lot of 
> incoming traffic. Any help?
>
> Date-from 	Date-to 	GBBytes-IN 	GBBytes-OUT 	GBBytes-TOTAL
> 01.01.2012 00:00 
> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.01.html> 
> 	01.02.2012 00:00 	1.181 	4.672 	5.853
> 01.02.2012 00:00 
> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.02.html> 
> 	01.03.2012 00:00 	*1.688* 	110 	1.797
> 01.03.2012 00:00 
> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.03.html> 
> 	01.04.2012 00:00 	*2.551* 	112 	2.663
> 01.04.2012 00:00 
> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.04.html> 
> 	01.05.2012 00:00 	*4.763* 	38 	4.801
>
>
>
>
> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987 on 
> eth0                                                                                                 
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987 on 
> eth0                                                                                                   
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975 on 
> eth0                                                                                                   
> ?
> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973 on 
> eth0                                                                                                 
> ?
> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977 on 
> eth0                                                                                                 
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977 on 
> eth0                                                                                                   
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973 on 
> eth0                                                                                                   
> ?
> ? UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987 on eth0
>
>
> Here is my iptables script:
>
> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set 
> --name getstatus_cod
> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string 
> "getstatus" -m recent --update --seconds 1 --hitcount 20 --name 
> getstatus_cod -j DROP
>
> # add a host to the banlist and then drop the packet.
> iptables -N QUERY-BLOCK
> iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
>
> # is this a query packet? if so, block commonly attacked ports outright,
> # then see if it's a known attacking IP, then see if it is sending at 
> a high
> # rate and should be added to the list of known attacking IPs.
> iptables -N QUERY-CHECK
> iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo 
> bm --from 32 --to 41 -j RETURN
> iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
> # is it already blocked? continue blocking it and update the counter so it
> # gets blocked for at least another 30 seconds.
> iptables -A QUERY-CHECK -m recent --update --name blocked-hosts 
> --seconds 30 --hitcount 1 -j DROP
> # check to see if it exceeds our rate threshold,
> # and add it to the list if it does.
> iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip 
> --hashlimit-name getstatus --hashlimit-above 4/second -j QUERY-BLOCK
>
> # look at all the packets going to q3/cod*/et/etc servers
> iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>
> -- 
> Andrej
>
> +386 31 247 707
> aparovel at gmail.com
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120413/2a375137/attachment-0001.htm>


More information about the cod mailing list