[cod] Game server whitelisting rules

Robert Mount rmount at pobox.com
Tue Apr 17 14:29:43 EDT 2012 

Would love to see this integrated with csf/lfd somehow.

http://www.configserver.com/cp/csf.html

--Rob

On Tue, Apr 17, 2012 at 2:09 PM, Brandon R. Miller
<brandonm at branzone.com> wrote:
> Will it work on CentOS 5.x with iptables 1.3.5?
>
> - Brandon M.
>
> On 4/17/2012 10:12 AM, Boyd G. Gafford Ph.D. wrote:
>
> Just wanted to let everyone know that I am making the dynamic whitelisting
> iptables rules I have been testing available to anyone who runs a
> Q3-protocol server under Linux and wants to try them out.  These rules were
> designed for the most severe of all attacks, and that is attacks where the
> source IP is spoofed and is random.  It also works for attacks from a single
> IP as well, as well as indirect reflection attacks.
>
> We have 2 commercial server companies using these rules currently in their
> production environment, and I am currently working with two more.  I also
> have test servers running on several VPS's that I use for development.
>
> So what do the iptables do?  Here's the list:
>
> 1) Players have their IP saved automatically at the kernel level when they
> join a game server, and then those IPs are used as a filter for other
> rules.  When they leave the game server the IP is retired after 10 minutes.
> (This is what we call a whitelisted player).  This is the main guts of the
> protection, as identifying valid players is important to mitigating attacks.
>
> 2) Server query packets like 'getstatus' and 'getinfo' are rate limited to
> 10/sec to prevent lag when they are used in a DOS attack.  Players that are
> whitelisted have their packets allowed (so they can see server status while
> in game even during an attack).
>
> 3) 'getchallenge' packets (normally used by a player to join the game) are
> rate limited to 2/sec, to prevent lag when they are used in a DOS attack.
> Players that are whitelisted always have their requests to join the server
> processed.  This allows a player who was recently playing the ability to
> join the server again, even when the DOSer is trying to lock down the
> population on the server by spamming fake players joining.
>
> 4) All other packets are rate limited per whitelisted player IP to no more
> than 100/second, to prevent lag when a DOSer has stolen a valid player IP
> address and is attacking with it in an attempt to break through the
> whitelist rules.
>
> 5) Attempts to use your game server as a reflector to attack other game
> servers is blocked (due to rate limiting in 1-4).
>
> 6) Reflection attack packets hitting your server are dropped (again due to
> rate limiting in 1-4).
>
> 7) A custom packet (not part of the Q3 protocol) can be sent by a player to
> break into and join a game that is under 24/7 'getchallenge' attack.  This
> is one of the slicker features of the iptables rules, as this 'server
> lockdown' DOS attack is now easily breached.
>
>
> The iptables rules are added dynamically per server IP:PORT pair.  That way
> the rules affect nothing but UDP packets to that game server.  No other
> types of packets are affected whatsoever.  To make it easy, the rules have
> been put into shell scripts.
>
> Example:  Protect the game running on 10.1.2.3 port 28000.
>
> # ./protectgame.sh 10.1.2.3 28000
>
> Example:  Show the iptables rules currently protecting the game running on
> 10.1.2.3 port 28000.
>
> # ./listgame.sh 10.1.2.3 28000
>
> Example:  Remove the iptables rules protecting the game running on 10.1.2.3
> port 28000.
>
> # ./unprotectgame.sh 10.1.2.3 28000
>
> Rather than just send the scripts to the whole list here, I've decided to
> ask anyone interested to Email me personally and request it.  If you run a
> commercial gaming service (or even your own COD server and agree not to
> share it with anyone else), I will be happy to send it to you and help you
> understand how to use it in your environment.
>
> Thanks,
>
>   Boyd
>
> __________________________________
> Boyd G. Gafford Ph.D.
> Manager of Software Development
> Westport Research Associates Inc.
> 7001 Blue Ridge Blvd
> Raytown, MO 64133
> (816) 358-8990
> drboyd at westportresearch.com
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>

More information about the cod mailing list