[cod] Game server whitelisting rules

escapedturkey escapedturkey at escapedturkey.com
Tue Apr 17 12:00:01 EDT 2012 

That should say: "simply clicks on one of two buttons".

On Tue, Apr 17, 2012 at 11:58 AM, escapedturkey <
escapedturkey at escapedturkey.com> wrote:

> On top of that, using webmin and usermin, I have developed scripts (to
> utilize Boyd's scripts) where the user simply clicks on of two buttons,
> then within 30 minutes protection is enabled or disabled. There is another
> script to display the protection status. This way root runs a script, every
> 30 minutes, searches to see who has enabled or disabled protection, then
> adds or removes the rules to iptables.
>
> For more information on how the scripts work, please see the following:
>
> https://www.escapedturkey.com/links/serverprotection
>
> I will gladly share these scripts as well. Please drop me an e-mail if you
> are interested. The more protection we have for everyone's game servers,
> the better the community will be. =)
>
> On Tue, Apr 17, 2012 at 11:12 AM, Boyd G. Gafford Ph.D. <
> drboyd at westportresearch.com> wrote:
>
>>  Just wanted to let everyone know that I am making the dynamic
>> whitelisting iptables rules I have been testing available to anyone who
>> runs a Q3-protocol server under Linux and wants to try them out.  These
>> rules were designed for the most severe of all attacks, and that is attacks
>> where the source IP is spoofed and is random.  It also works for attacks
>> from a single IP as well, as well as indirect reflection attacks.
>>
>> We have 2 commercial server companies using these rules currently in
>> their production environment, and I am currently working with two more.  I
>> also have test servers running on several VPS's that I use for development.
>>
>> So what do the iptables do?  Here's the list:
>>
>> 1) Players have their IP saved automatically at the kernel level when
>> they join a game server, and then those IPs are used as a filter for other
>> rules.  When they leave the game server the IP is retired after 10
>> minutes.  (This is what we call a whitelisted player).  This is the main
>> guts of the protection, as identifying valid players is important to
>> mitigating attacks.
>>
>> 2) Server query packets like 'getstatus' and 'getinfo' are rate limited
>> to 10/sec to prevent lag when they are used in a DOS attack.  Players that
>> are whitelisted have their packets allowed (so they can see server status
>> while in game even during an attack).
>>
>> 3) 'getchallenge' packets (normally used by a player to join the game)
>> are rate limited to 2/sec, to prevent lag when they are used in a DOS
>> attack.  Players that are whitelisted always have their requests to join
>> the server processed.  This allows a player who was recently playing the
>> ability to join the server again, even when the DOSer is trying to lock
>> down the population on the server by spamming fake players joining.
>>
>> 4) All other packets are rate limited per whitelisted player IP to no
>> more than 100/second, to prevent lag when a DOSer has stolen a valid player
>> IP address and is attacking with it in an attempt to break through the
>> whitelist rules.
>>
>> 5) Attempts to use your game server as a reflector to attack other game
>> servers is blocked (due to rate limiting in 1-4).
>>
>> 6) Reflection attack packets hitting your server are dropped (again due
>> to rate limiting in 1-4).
>>
>> 7) A custom packet (not part of the Q3 protocol) can be sent by a player
>> to break into and join a game that is under 24/7 'getchallenge' attack.
>> This is one of the slicker features of the iptables rules, as this 'server
>> lockdown' DOS attack is now easily breached.
>>
>>
>> The iptables rules are added dynamically per server IP:PORT pair.  That
>> way the rules affect nothing but UDP packets to that game server.  No other
>> types of packets are affected whatsoever.  To make it easy, the rules have
>> been put into shell scripts.
>>
>> Example:  Protect the game running on 10.1.2.3 port 28000.
>>
>> # ./protectgame.sh 10.1.2.3 28000
>>
>> Example:  Show the iptables rules currently protecting the game running
>> on 10.1.2.3 port 28000.
>>
>> # ./listgame.sh 10.1.2.3 28000
>>
>> Example:  Remove the iptables rules protecting the game running on
>> 10.1.2.3 port 28000.
>>
>> # ./unprotectgame.sh 10.1.2.3 28000
>>
>> Rather than just send the scripts to the whole list here, I've decided to
>> ask anyone interested to Email me personally and request it.  If you run a
>> commercial gaming service (or even your own COD server and agree not to
>> share it with anyone else), I will be happy to send it to you and help you
>> understand how to use it in your environment.
>>
>> Thanks,
>>
>>   *Boyd*
>>
>> *__________________________________
>> Boyd G. Gafford Ph.D.
>> Manager of Software Development
>> Westport Research Associates Inc.
>> 7001 Blue Ridge Blvd
>> Raytown, MO 64133
>> (816) 358-8990
>> drboyd at westportresearch.com
>> *
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>
>
> --
> EscapedTurkey.com Billing and Support
> https://www.escapedturkey.com/helpdesk
>
>


-- 
EscapedTurkey.com Billing and Support
https://www.escapedturkey.com/helpdesk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120417/0f35eed9/attachment.htm>

More information about the cod mailing list