[cod] Problem with UDP flood

Marco Padovan evcz at evcz.tk
Fri Apr 13 15:53:48 EDT 2012


Hi,

please be aware that you posted your username and password in plaintext :|

Btw since 2days I got a box having constant 12mbit/sec incoming (even
when having 0kbit/sec outgoing) ... there's nothing you can do about
it... incoming intraffic comes in even if you ban every single ip....

Il 13/04/2012 20:09, Andrej Parovel ha scritto:
> Hello,
>
> I have followed your directions about UDP flood for Call of Duty
> servers and installed a blocking iptables script (you can check it
> down) but I am still reciving a lot of UDP traffic on my server.
> Before I had a lot of outgoing traffic now I am having a lot of
> incoming traffic. Any help?
>
> 	
> 	
> 	
> 	
>
> 	
> 	
> 	
> 	
>
> 	
> 	
> 	
> 	
>
> 	
> 	
> 	
> 	
>
> 	
> 	
> 	
> 	
>
>
>
>
> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987 on
> eth0                                                                                                
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987 on
> eth0                                                                                                  
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975 on
> eth0                                                                                                  
> ?
> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973 on
> eth0                                                                                                
> ?
> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977 on
> eth0                                                                                                
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977 on
> eth0                                                                                                  
> ?
> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973 on
> eth0                                                                                                  
> ?
> ? UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987 on
> eth0      
>
>
> Here is my iptables script:
>
> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
> --name getstatus_cod
> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string
> "getstatus" -m recent --update --seconds 1 --hitcount 20 --name
> getstatus_cod -j DROP
>
> # add a host to the banlist and then drop the packet.
> iptables -N QUERY-BLOCK
> iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
>
> # is this a query packet? if so, block commonly attacked ports outright,
> # then see if it's a known attacking IP, then see if it is sending at
> a high
> # rate and should be added to the list of known attacking IPs.
> iptables -N QUERY-CHECK
> iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo
> bm --from 32 --to 41 -j RETURN
> iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
> # is it already blocked? continue blocking it and update the counter so it
> # gets blocked for at least another 30 seconds.
> iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
> --seconds 30 --hitcount 1 -j DROP
> # check to see if it exceeds our rate threshold,
> # and add it to the list if it does.
> iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
> --hashlimit-name getstatus --hashlimit-above 4/second -j QUERY-BLOCK
>
> # look at all the packets going to q3/cod*/et/etc servers
> iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>
> -- 
> Andrej
>
> +386 31 247 707
> aparovel at gmail.com
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120413/8dfb6054/attachment.htm>


More information about the cod mailing list