[cod] Problem with UDP flood

Andrej Parovel aparovel at gmail.com
Fri Apr 13 16:17:30 EDT 2012 

I didn't notice thank you!

Yes I see i blocked some IPs but in iptraf I still get the same IPs, but 
it is anoying me, I will try to send to my ISP so he can block these IPs 
on router.

It is quite annoying, because I had never before so much traffic.

Andrej

+386 31 247 707
aparovel at gmail.com


On 13.4.2012 21:53, Marco Padovan wrote:
> Hi,
>
> please be aware that you posted your username and password in plaintext :|
>
> Btw since 2days I got a box having constant 12mbit/sec incoming (even 
> when having 0kbit/sec outgoing) ... there's nothing you can do about 
> it... incoming intraffic comes in even if you ban every single ip....
>
> Il 13/04/2012 20:09, Andrej Parovel ha scritto:
>> Hello,
>>
>> I have followed your directions about UDP flood for Call of Duty 
>> servers and installed a blocking iptables script (you can check it 
>> down) but I am still reciving a lot of UDP traffic on my server.
>> Before I had a lot of outgoing traffic now I am having a lot of 
>> incoming traffic. Any help?
>>
>> 	
>> 	
>> 	
>> 	
>>
>> 	
>> 	
>> 	
>> 	
>>
>> 	
>> 	
>> 	
>> 	
>>
>> 	
>> 	
>> 	
>> 	
>>
>> 	
>> 	
>> 	
>> 	
>>
>>
>>
>>
>> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987 on 
>> eth0                                                                                                 
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987 on 
>> eth0                                                                                                   
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975 on 
>> eth0                                                                                                   
>> ?
>> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973 on 
>> eth0                                                                                                 
>> ?
>> ? UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977 on 
>> eth0                                                                                                 
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977 on 
>> eth0                                                                                                   
>> ?
>> ? UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973 on 
>> eth0                                                                                                   
>> ?
>> ? UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987 on eth0
>>
>>
>> Here is my iptables script:
>>
>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set 
>> --name getstatus_cod
>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string 
>> "getstatus" -m recent --update --seconds 1 --hitcount 20 --name 
>> getstatus_cod -j DROP
>>
>> # add a host to the banlist and then drop the packet.
>> iptables -N QUERY-BLOCK
>> iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
>>
>> # is this a query packet? if so, block commonly attacked ports outright,
>> # then see if it's a known attacking IP, then see if it is sending at 
>> a high
>> # rate and should be added to the list of known attacking IPs.
>> iptables -N QUERY-CHECK
>> iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" 
>> --algo bm --from 32 --to 41 -j RETURN
>> iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
>> iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
>> # is it already blocked? continue blocking it and update the counter 
>> so it
>> # gets blocked for at least another 30 seconds.
>> iptables -A QUERY-CHECK -m recent --update --name blocked-hosts 
>> --seconds 30 --hitcount 1 -j DROP
>> # check to see if it exceeds our rate threshold,
>> # and add it to the list if it does.
>> iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip 
>> --hashlimit-name getstatus --hashlimit-above 4/second -j QUERY-BLOCK
>>
>> # look at all the packets going to q3/cod*/et/etc servers
>> iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>>
>> -- 
>> Andrej
>>
>> +386 31 247 707
>> aparovel at gmail.com
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120413/8dc3b676/attachment-0001.htm>

More information about the cod mailing list