[cod] Problem with UDP flood
Andrej Parovel
aparovel at gmail.com
Fri Apr 13 15:44:10 EDT 2012
You can check my iptables hit count bellow. Is any option to block these
inbound traffic? Because my ISP is getting angry about that. I will try
to block some IPs manually to decrease the traffic a bit, because I see
that they repeat, but I think they will restart with other sources.
Chain INPUT (policy ACCEPT 10M packets, 776M bytes)
pkts bytes target prot opt in out source
destination
85 99018 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 length 1162:1168
9342M 392G udp -- * * 0.0.0.0/0
0.0.0.0/0 length 42 recent: SET name: getstatus_cod side: source
9224M 387G DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 STRING match "getstatus" ALGO name bm TO 65535
recent: UPDATE seconds: 1 hit_count: 20 name: getstatus_cod side: source
58G 2895G QUERY-CHECK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:27960:29000
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 length 1162:1168
6134 258K udp -- * * 0.0.0.0/0
0.0.0.0/0 length 42 recent: SET name: getstatus_cod side: source
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 STRING match "getstatus" ALGO name bm TO 65535
recent: UPDATE seconds: 1 hit_count: 20 name: getstatus_cod side: source
10M 772M QUERY-CHECK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:27960:29000
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 length 1162:1168
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 length 1162:1168
Chain OUTPUT (policy ACCEPT 5172K packets, 729M bytes)
pkts bytes target prot opt in out source
destination
228K 265M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 length 1162:1168
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 length 1162:1168
Chain QUERY-BLOCK (2 references)
pkts bytes target prot opt in out source
destination
36858 1540K DROP all -- * * 0.0.0.0/0
0.0.0.0/0 recent: SET name: blocked-hosts side: source
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 recent: SET name: blocked-hosts side: source
Chain QUERY-CHECK (2 references)
pkts bytes target prot opt in out source
destination
13G 955G RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 STRING match !"getstatus" ALGO name bm FROM 32 TO 41
5973M 257G DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spts:0:1025
13M 560M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:3074
523K 22M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:7777
8626K 361M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spts:27015:27100
428K 18M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:25200
2503K 105M DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:25565
39G 1682G DROP all -- * * 0.0.0.0/0
0.0.0.0/0 recent: UPDATE seconds: 30 hit_count: 1 name:
blocked-hosts side: source
34723 1449K QUERY-BLOCK all -- * * 0.0.0.0/0
0.0.0.0/0 limit: above 20/sec burst 5 mode srcip
0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 STRING match !"getstatus" ALGO name bm FROM 32 TO 41
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spts:0:1025
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:3074
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:7777
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spts:27015:27100
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:25200
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:25565
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 recent: UPDATE seconds: 30 hit_count: 1 name:
blocked-hosts side: source
2135 91496 QUERY-BLOCK all -- * * 0.0.0.0/0
0.0.0.0/0 limit: above 4/sec burst 5 mode srcip
Andrej
+386 31 247 707
aparovel at gmail.com
On 13.4.2012 21:00, John wrote:
> If you're running the iptables rules on the machine with the servers,
> you will still see inbound traffic from the requests. The advantage to
> the rules is that they'll prevent that traffic from reaching the
> application layer and being processed by your servers.
>
> You can see the hit count for the iptables rules to make sure that
> they're working with this command (look for increasing numbers next to
> statements with the "DROP" action):
>
> iptables -nv --list
>
> -John
>
> On 4/13/2012 11:09 AM, Andrej Parovel wrote:
>> Hello,
>>
>> I have followed your directions about UDP flood for Call of Duty
>> servers and installed a blocking iptables script (you can check it
>> down) but I am still reciving a lot of UDP traffic on my server.
>> Before I had a lot of outgoing traffic now I am having a lot of
>> incoming traffic. Any help?
>>
>> Date-from Date-to GBBytes-IN GBBytes-OUT GBBytes-TOTAL
>> 01.01.2012 00:00
>> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.01.html>
>> 01.02.2012 00:00 1.181 4.672 5.853
>> 01.02.2012 00:00
>> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.02.html>
>> 01.03.2012 00:00 *1.688* 110 1.797
>> 01.03.2012 00:00
>> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.03.html>
>> 01.04.2012 00:00 *2.551* 112 2.663
>> 01.04.2012 00:00
>> <http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.04.html>
>> 01.05.2012 00:00 *4.763* 38 4.801
>>
>>
>>
>>
>> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987 on
>> eth0
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987 on
>> eth0
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975 on
>> eth0
>> ?
>> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973 on
>> eth0
>> ?
>> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977 on
>> eth0
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977 on
>> eth0
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973 on
>> eth0
>> ?
>> ? UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987 on eth0
>>
>>
>> Here is my iptables script:
>>
>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>> --name getstatus_cod
>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string
>> "getstatus" -m recent --update --seconds 1 --hitcount 20 --name
>> getstatus_cod -j DROP
>>
>> # add a host to the banlist and then drop the packet.
>> iptables -N QUERY-BLOCK
>> iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
>>
>> # is this a query packet? if so, block commonly attacked ports outright,
>> # then see if it's a known attacking IP, then see if it is sending at
>> a high
>> # rate and should be added to the list of known attacking IPs.
>> iptables -N QUERY-CHECK
>> iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
>> --algo bm --from 32 --to 41 -j RETURN
>> iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
>> # is it already blocked? continue blocking it and update the counter
>> so it
>> # gets blocked for at least another 30 seconds.
>> iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
>> --seconds 30 --hitcount 1 -j DROP
>> # check to see if it exceeds our rate threshold,
>> # and add it to the list if it does.
>> iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
>> --hashlimit-name getstatus --hashlimit-above 4/second -j QUERY-BLOCK
>>
>> # look at all the packets going to q3/cod*/et/etc servers
>> iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>>
>> --
>> Andrej
>>
>> +386 31 247 707
>> aparovel at gmail.com
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120413/1dc7e94d/attachment-0001.htm>
More information about the cod
mailing list