[cod] Game server whitelisting rules

Boyd G. Gafford Ph.D. drboyd at westportresearch.com
Tue Apr 17 11:12:07 EDT 2012 

Just wanted to let everyone know that I am making the dynamic 
whitelisting iptables rules I have been testing available to anyone who 
runs a Q3-protocol server under Linux and wants to try them out.  These 
rules were designed for the most severe of all attacks, and that is 
attacks where the source IP is spoofed and is random.  It also works for 
attacks from a single IP as well, as well as indirect reflection attacks.

We have 2 commercial server companies using these rules currently in 
their production environment, and I am currently working with two more.  
I also have test servers running on several VPS's that I use for 
development.

So what do the iptables do?  Here's the list:

1) Players have their IP saved automatically at the kernel level when 
they join a game server, and then those IPs are used as a filter for 
other rules.  When they leave the game server the IP is retired after 10 
minutes.  (This is what we call a whitelisted player).  This is the main 
guts of the protection, as identifying valid players is important to 
mitigating attacks.

2) Server query packets like 'getstatus' and 'getinfo' are rate limited 
to 10/sec to prevent lag when they are used in a DOS attack.  Players 
that are whitelisted have their packets allowed (so they can see server 
status while in game even during an attack).

3) 'getchallenge' packets (normally used by a player to join the game) 
are rate limited to 2/sec, to prevent lag when they are used in a DOS 
attack.  Players that are whitelisted always have their requests to join 
the server processed.  This allows a player who was recently playing the 
ability to join the server again, even when the DOSer is trying to lock 
down the population on the server by spamming fake players joining.

4) All other packets are rate limited per whitelisted player IP to no 
more than 100/second, to prevent lag when a DOSer has stolen a valid 
player IP address and is attacking with it in an attempt to break 
through the whitelist rules.

5) Attempts to use your game server as a reflector to attack other game 
servers is blocked (due to rate limiting in 1-4).

6) Reflection attack packets hitting your server are dropped (again due 
to rate limiting in 1-4).

7) A custom packet (not part of the Q3 protocol) can be sent by a player 
to break into and join a game that is under 24/7 'getchallenge' attack.  
This is one of the slicker features of the iptables rules, as this 
'server lockdown' DOS attack is now easily breached.


The iptables rules are added dynamically per server IP:PORT pair.  That 
way the rules affect nothing but UDP packets to that game server.  No 
other types of packets are affected whatsoever.  To make it easy, the 
rules have been put into shell scripts.

Example:  Protect the game running on 10.1.2.3 port 28000.

# ./protectgame.sh 10.1.2.3 28000

Example:  Show the iptables rules currently protecting the game running 
on 10.1.2.3 port 28000.

# ./listgame.sh 10.1.2.3 28000

Example:  Remove the iptables rules protecting the game running on 
10.1.2.3 port 28000.

# ./unprotectgame.sh 10.1.2.3 28000

Rather than just send the scripts to the whole list here, I've decided 
to ask anyone interested to Email me personally and request it.  If you 
run a commercial gaming service (or even your own COD server and agree 
not to share it with anyone else), I will be happy to send it to you and 
help you understand how to use it in your environment.

Thanks,

/Boyd/

/__________________________________
Boyd G. Gafford Ph.D.
Manager of Software Development
Westport Research Associates Inc.
7001 Blue Ridge Blvd
Raytown, MO 64133
(816) 358-8990
drboyd at westportresearch.com
/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120417/28f6587d/attachment.htm>

More information about the cod mailing list