[cod] Game server whitelisting rules
escapedturkey
escapedturkey at escapedturkey.com
Tue Apr 17 12:00:01 EDT 2012
That should say: "simply clicks on one of two buttons".
On Tue, Apr 17, 2012 at 11:58 AM, escapedturkey <
escapedturkey at escapedturkey.com> wrote:
> On top of that, using webmin and usermin, I have developed scripts (to
> utilize Boyd's scripts) where the user simply clicks on of two buttons,
> then within 30 minutes protection is enabled or disabled. There is another
> script to display the protection status. This way root runs a script, every
> 30 minutes, searches to see who has enabled or disabled protection, then
> adds or removes the rules to iptables.
>
> For more information on how the scripts work, please see the following:
>
> https://www.escapedturkey.com/links/serverprotection
>
> I will gladly share these scripts as well. Please drop me an e-mail if you
> are interested. The more protection we have for everyone's game servers,
> the better the community will be. =)
>
> On Tue, Apr 17, 2012 at 11:12 AM, Boyd G. Gafford Ph.D. <
> drboyd at westportresearch.com> wrote:
>
>> Just wanted to let everyone know that I am making the dynamic
>> whitelisting iptables rules I have been testing available to anyone who
>> runs a Q3-protocol server under Linux and wants to try them out. These
>> rules were designed for the most severe of all attacks, and that is attacks
>> where the source IP is spoofed and is random. It also works for attacks
>> from a single IP as well, as well as indirect reflection attacks.
>>
>> We have 2 commercial server companies using these rules currently in
>> their production environment, and I am currently working with two more. I
>> also have test servers running on several VPS's that I use for development.
>>
>> So what do the iptables do? Here's the list:
>>
>> 1) Players have their IP saved automatically at the kernel level when
>> they join a game server, and then those IPs are used as a filter for other
>> rules. When they leave the game server the IP is retired after 10
>> minutes. (This is what we call a whitelisted player). This is the main
>> guts of the protection, as identifying valid players is important to
>> mitigating attacks.
>>
>> 2) Server query packets like 'getstatus' and 'getinfo' are rate limited
>> to 10/sec to prevent lag when they are used in a DOS attack. Players that
>> are whitelisted have their packets allowed (so they can see server status
>> while in game even during an attack).
>>
>> 3) 'getchallenge' packets (normally used by a player to join the game)
>> are rate limited to 2/sec, to prevent lag when they are used in a DOS
>> attack. Players that are whitelisted always have their requests to join
>> the server processed. This allows a player who was recently playing the
>> ability to join the server again, even when the DOSer is trying to lock
>> down the population on the server by spamming fake players joining.
>>
>> 4) All other packets are rate limited per whitelisted player IP to no
>> more than 100/second, to prevent lag when a DOSer has stolen a valid player
>> IP address and is attacking with it in an attempt to break through the
>> whitelist rules.
>>
>> 5) Attempts to use your game server as a reflector to attack other game
>> servers is blocked (due to rate limiting in 1-4).
>>
>> 6) Reflection attack packets hitting your server are dropped (again due
>> to rate limiting in 1-4).
>>
>> 7) A custom packet (not part of the Q3 protocol) can be sent by a player
>> to break into and join a game that is under 24/7 'getchallenge' attack.
>> This is one of the slicker features of the iptables rules, as this 'server
>> lockdown' DOS attack is now easily breached.
>>
>>
>> The iptables rules are added dynamically per server IP:PORT pair. That
>> way the rules affect nothing but UDP packets to that game server. No other
>> types of packets are affected whatsoever. To make it easy, the rules have
>> been put into shell scripts.
>>
>> Example: Protect the game running on 10.1.2.3 port 28000.
>>
>> # ./protectgame.sh 10.1.2.3 28000
>>
>> Example: Show the iptables rules currently protecting the game running
>> on 10.1.2.3 port 28000.
>>
>> # ./listgame.sh 10.1.2.3 28000
>>
>> Example: Remove the iptables rules protecting the game running on
>> 10.1.2.3 port 28000.
>>
>> # ./unprotectgame.sh 10.1.2.3 28000
>>
>> Rather than just send the scripts to the whole list here, I've decided to
>> ask anyone interested to Email me personally and request it. If you run a
>> commercial gaming service (or even your own COD server and agree not to
>> share it with anyone else), I will be happy to send it to you and help you
>> understand how to use it in your environment.
>>
>> Thanks,
>>
>> *Boyd*
>>
>> *__________________________________
>> Boyd G. Gafford Ph.D.
>> Manager of Software Development
>> Westport Research Associates Inc.
>> 7001 Blue Ridge Blvd
>> Raytown, MO 64133
>> (816) 358-8990
>> drboyd at westportresearch.com
>> *
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>
>
> --
> EscapedTurkey.com Billing and Support
> https://www.escapedturkey.com/helpdesk
>
>
--
EscapedTurkey.com Billing and Support
https://www.escapedturkey.com/helpdesk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120417/0f35eed9/attachment.htm>
More information about the cod
mailing list