[cod] Problem with UDP flood
NewLight Systems
nls at newlightsystems.com
Fri Apr 13 16:59:43 EDT 2012
the only way is your ISP blackholes this, there's nothing you can do on
your end
El 13/04/12 22:17, Andrej Parovel escribió:
> I didn't notice thank you!
>
> Yes I see i blocked some IPs but in iptraf I still get the same IPs,
> but it is anoying me, I will try to send to my ISP so he can block
> these IPs on router.
>
> It is quite annoying, because I had never before so much traffic.
>
> Andrej
>
> +386 31 247 707
> aparovel at gmail.com
>
> On 13.4.2012 21:53, Marco Padovan wrote:
>> Hi,
>>
>> please be aware that you posted your username and password in
>> plaintext :|
>>
>> Btw since 2days I got a box having constant 12mbit/sec incoming (even
>> when having 0kbit/sec outgoing) ... there's nothing you can do about
>> it... incoming intraffic comes in even if you ban every single ip....
>>
>> Il 13/04/2012 20:09, Andrej Parovel ha scritto:
>>> Hello,
>>>
>>> I have followed your directions about UDP flood for Call of Duty
>>> servers and installed a blocking iptables script (you can check it
>>> down) but I am still reciving a lot of UDP traffic on my server.
>>> Before I had a lot of outgoing traffic now I am having a lot of
>>> incoming traffic. Any help?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> │ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987
>>> on
>>> eth0
>>> │
>>> │ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987 on
>>> eth0
>>> │
>>> │ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975 on
>>> eth0
>>> │
>>> │ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973
>>> on
>>> eth0
>>> │
>>> │ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977
>>> on
>>> eth0
>>> │
>>> │ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977 on
>>> eth0
>>> │
>>> │ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973 on
>>> eth0
>>> │
>>> │ UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987 on
>>> eth0
>>>
>>>
>>> Here is my iptables script:
>>>
>>> /sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
>>> /sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
>>> /sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
>>> /sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
>>> --name getstatus_cod
>>> /sbin/iptables -A INPUT -p UDP -m string --algo bm --string
>>> "getstatus" -m recent --update --seconds 1 --hitcount 20 --name
>>> getstatus_cod -j DROP
>>>
>>> # add a host to the banlist and then drop the packet.
>>> iptables -N QUERY-BLOCK
>>> iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
>>>
>>> # is this a query packet? if so, block commonly attacked ports outright,
>>> # then see if it's a known attacking IP, then see if it is sending
>>> at a high
>>> # rate and should be added to the list of known attacking IPs.
>>> iptables -N QUERY-CHECK
>>> iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
>>> --algo bm --from 32 --to 41 -j RETURN
>>> iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
>>> iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
>>> iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
>>> iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
>>> iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
>>> iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
>>> # is it already blocked? continue blocking it and update the counter
>>> so it
>>> # gets blocked for at least another 30 seconds.
>>> iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
>>> --seconds 30 --hitcount 1 -j DROP
>>> # check to see if it exceeds our rate threshold,
>>> # and add it to the list if it does.
>>> iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
>>> --hashlimit-name getstatus --hashlimit-above 4/second -j QUERY-BLOCK
>>>
>>> # look at all the packets going to q3/cod*/et/etc servers
>>> iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>>>
>>> --
>>> Andrej
>>>
>>> +386 31 247 707
>>> aparovel at gmail.com
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
--
*David Aguilar Valero*
Dpto. Comercial y Soporte técnico
NewLight Systems
*Servidores de juegos, HW, Dedicados*
*crk01 at nls.es* <mailto:c>
crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
#NewLight_Systems @ irc-hispano.org
*www.newlightsystems.com* <http://www.newlightsystems.com/>
*www.nls.es* <http://www.nls.es/>
This email and any files or attachments transmitted with it are intended
solely for the use of the intended recipient. This email is confidential
and may contain legally privileged information. If you are not the
intended recipient you should not read, disseminate, distribute, or copy
this email. If you have received this email in error, please notify the
sender immediately and delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120413/a784e628/attachment.htm>
More information about the cod
mailing list